{"url":"http://public2.vulnerablecode.io/api/packages/630366?format=json","purl":"pkg:composer/codeigniter4/framework@4.3.2","type":"composer","namespace":"codeigniter4","name":"framework","version":"4.3.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.7.3","latest_non_vulnerable_version":"4.7.3","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/132576?format=json","vulnerability_id":"VCID-1znc-1bss-pkaj","summary":"CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-46240","reference_id":"","reference_type":"","scores":[{"value":"0.00426","scoring_system":"epss","scoring_elements":"0.62819","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00426","scoring_system":"epss","scoring_elements":"0.62717","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-46240"},{"reference_url":"https://github.com/codeigniter4/CodeIgniter4","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/codeigniter4/CodeIgniter4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46240","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46240"},{"reference_url":"https://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563","reference_id":"423569fc31e29f51635a2e59c89770333f0e7563","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-05T17:35:16Z/"}],"url":"https://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563"},{"reference_url":"https://codeigniter4.github.io/userguide/general/errors.html#error-reporting","reference_id":"errors.html#error-reporting","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-05T17:35:16Z/"}],"url":"https://codeigniter4.github.io/userguide/general/errors.html#error-reporting"},{"reference_url":"https://github.com/advisories/GHSA-hwxf-qxj7-7rfj","reference_id":"GHSA-hwxf-qxj7-7rfj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hwxf-qxj7-7rfj"},{"reference_url":"https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj","reference_id":"GHSA-hwxf-qxj7-7rfj","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-05T17:35:16Z/"}],"url":"https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/379119?format=json","purl":"pkg:composer/codeigniter4/framework@4.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dtde-gj8c-a7br"},{"vulnerability":"VCID-jdsk-9fw6-buhu"},{"vulnerability":"VCID-kqy2-2nun-27cn"},{"vulnerability":"VCID-p6ns-5khc-77au"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/codeigniter4/framework@4.4.3"}],"aliases":["CVE-2023-46240","GHSA-hwxf-qxj7-7rfj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1znc-1bss-pkaj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/143633?format=json","vulnerability_id":"VCID-dq2u-p7ju-6yfd","summary":"CodeIgniter is a PHP full-stack web framework. This vulnerability allows attackers to execute arbitrary code when you use Validation Placeholders. The vulnerability exists in the Validation library, and validation methods in the controller and in-model validation are also vulnerable because they use the Validation library internally. This issue is patched in version 4.3.5.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32692","reference_id":"","reference_type":"","scores":[{"value":"0.01956","scoring_system":"epss","scoring_elements":"0.8387","published_at":"2026-06-11T12:55:00Z"},{"value":"0.01956","scoring_system":"epss","scoring_elements":"0.83927","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32692"},{"reference_url":"https://github.com/codeigniter4/CodeIgniter4","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/codeigniter4/CodeIgniter4"},{"reference_url":"https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md#v435-2023-05-21","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md#v435-2023-05-21"},{"reference_url":"https://github.com/codeigniter4/CodeIgniter4/commit/6af677177fa1d9ad62f7a793bc96cba3068632ba","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/codeigniter4/CodeIgniter4/commit/6af677177fa1d9ad62f7a793bc96cba3068632ba"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32692","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32692"},{"reference_url":"https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md","reference_id":"CHANGELOG.md","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-10T20:38:34Z/"}],"url":"https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md"},{"reference_url":"https://github.com/advisories/GHSA-m6m8-6gq8-c9fj","reference_id":"GHSA-m6m8-6gq8-c9fj","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m6m8-6gq8-c9fj"},{"reference_url":"https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-m6m8-6gq8-c9fj","reference_id":"GHSA-m6m8-6gq8-c9fj","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-10T20:38:34Z/"}],"url":"https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-m6m8-6gq8-c9fj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/382048?format=json","purl":"pkg:composer/codeigniter4/framework@4.3.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1znc-1bss-pkaj"},{"vulnerability":"VCID-dtde-gj8c-a7br"},{"vulnerability":"VCID-jdsk-9fw6-buhu"},{"vulnerability":"VCID-kqy2-2nun-27cn"},{"vulnerability":"VCID-p6ns-5khc-77au"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/codeigniter4/framework@4.3.5"}],"aliases":["CVE-2023-32692","GHSA-m6m8-6gq8-c9fj","GMS-2023-1562"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dq2u-p7ju-6yfd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48033?format=json","vulnerability_id":"VCID-dtde-gj8c-a7br","summary":"CodeIgniter is a PHP full-stack web framework A vulnerability was found in the Language class that allowed DoS attacks. This vulnerability can be exploited by an attacker to consume a large amount of memory on the server. Upgrade to v4.4.7 or later.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-29904","reference_id":"","reference_type":"","scores":[{"value":"0.00744","scoring_system":"epss","scoring_elements":"0.73546","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00744","scoring_system":"epss","scoring_elements":"0.73473","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-29904"},{"reference_url":"https://github.com/codeigniter4/CodeIgniter4","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/codeigniter4/CodeIgniter4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29904","reference_id":"CVE-2024-29904","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29904"},{"reference_url":"https://github.com/codeigniter4/CodeIgniter4/commit/fa851acbae7ae4c5a97f8f38ae87aa0822a334c0","reference_id":"fa851acbae7ae4c5a97f8f38ae87aa0822a334c0","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-01T20:01:34Z/"}],"url":"https://github.com/codeigniter4/CodeIgniter4/commit/fa851acbae7ae4c5a97f8f38ae87aa0822a334c0"},{"reference_url":"https://github.com/advisories/GHSA-39fp-mqmm-gxj6","reference_id":"GHSA-39fp-mqmm-gxj6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-39fp-mqmm-gxj6"},{"reference_url":"https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-39fp-mqmm-gxj6","reference_id":"GHSA-39fp-mqmm-gxj6","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-01T20:01:34Z/"}],"url":"https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-39fp-mqmm-gxj6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30103?format=json","purl":"pkg:composer/codeigniter4/framework@4.4.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-jdsk-9fw6-buhu"},{"vulnerability":"VCID-kqy2-2nun-27cn"},{"vulnerability":"VCID-p6ns-5khc-77au"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/codeigniter4/framework@4.4.7"}],"aliases":["CVE-2024-29904","GHSA-39fp-mqmm-gxj6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dtde-gj8c-a7br"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/100573?format=json","vulnerability_id":"VCID-jdsk-9fw6-buhu","summary":"A stored cross-site scripting (XSS) vulnerability in CodeIgniter4 v4.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the debugbar_time parameter. NOTE: this is disputed by the Supplier because attackers cannot influence the value of debugbar_time, and because debugbar-related data is automatically escaped by the CodeIgniter Parser class.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-45406","reference_id":"","reference_type":"","scores":[{"value":"0.00207","scoring_system":"epss","scoring_elements":"0.43174","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00207","scoring_system":"epss","scoring_elements":"0.43331","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-45406"},{"reference_url":"https://github.com/codeigniter4/CodeIgniter4","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/codeigniter4/CodeIgniter4"},{"reference_url":"https://github.com/codeigniter4/CodeIgniter4/blob/v4.6.2/system/Debug/Toolbar.php#L496","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/codeigniter4/CodeIgniter4/blob/v4.6.2/system/Debug/Toolbar.php#L496"},{"reference_url":"https://github.com/codeigniter4/framework/blob/v4.6.2/system/Debug/Toolbar.php#L496","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/codeigniter4/framework/blob/v4.6.2/system/Debug/Toolbar.php#L496"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-45406","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-45406"},{"reference_url":"https://www.exploit-db.com/exploits/50556","reference_id":"50556","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-25T20:27:59Z/"}],"url":"https://www.exploit-db.com/exploits/50556"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15943","reference_id":"CVE-2020-15943","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-25T20:27:59Z/"}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15943"},{"reference_url":"https://github.com/advisories/GHSA-49jm-g4m8-x53p","reference_id":"GHSA-49jm-g4m8-x53p","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-49jm-g4m8-x53p"},{"reference_url":"https://github.com/advisories/GHSA-7h5r-54mm-w4pq","reference_id":"GHSA-7h5r-54mm-w4pq","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-25T20:27:59Z/"}],"url":"https://github.com/advisories/GHSA-7h5r-54mm-w4pq"},{"reference_url":"https://medium.com/@talktoshweta0/when-debugging-bites-back-exposing-a-persistent-xss-in-codeigniter4-c9caf804a190","reference_id":"when-debugging-bites-back-exposing-a-persistent-xss-in-codeigniter4-c9caf804a190","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-25T20:27:59Z/"}],"url":"https://medium.com/@talktoshweta0/when-debugging-bites-back-exposing-a-persistent-xss-in-codeigniter4-c9caf804a190"}],"fixed_packages":[],"aliases":["CVE-2025-45406","GHSA-49jm-g4m8-x53p"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jdsk-9fw6-buhu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/88042?format=json","vulnerability_id":"VCID-kqy2-2nun-27cn","summary":"CodeIgniter is a PHP full-stack web framework. A command injection vulnerability present in versions prior to 4.6.2 affects applications that use the ImageMagick handler for image processing (`imagick` as the image library) and either allow file uploads with user-controlled filenames and process uploaded images using the `resize()` method or use the `text()` method with user-controlled text content or options. An attacker can upload a file with a malicious filename containing shell metacharacters that get executed when the image is processed or provide malicious text content or options that get executed when adding text to images Users should upgrade to v4.6.2 or later to receive a patch. As a workaround, switch to the GD image handler (`gd`, the default handler), which is not affected by either vulnerability. For file upload scenarios, instead of using user-provided filenames, generate random names to eliminate the attack vector with `getRandomName()` when using the `move()` method, or use the `store()` method, which automatically generates safe filenames. For text operations, if one must use ImageMagick with user-controlled text, sanitize the input to only allow safe characters and validate/restrict text options.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-54418","reference_id":"","reference_type":"","scores":[{"value":"0.03881","scoring_system":"epss","scoring_elements":"0.88551","published_at":"2026-06-12T12:55:00Z"},{"value":"0.03881","scoring_system":"epss","scoring_elements":"0.88512","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-54418"},{"reference_url":"https://github.com/codeigniter4/CodeIgniter4","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/codeigniter4/CodeIgniter4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54418","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54418"},{"reference_url":"https://cwe.mitre.org/data/definitions/78.html","reference_id":"78.html","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-07-28T17:19:03Z/"}],"url":"https://cwe.mitre.org/data/definitions/78.html"},{"reference_url":"https://owasp.org/www-community/attacks/Command_Injection","reference_id":"Command_Injection","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-07-28T17:19:03Z/"}],"url":"https://owasp.org/www-community/attacks/Command_Injection"},{"reference_url":"https://github.com/codeigniter4/CodeIgniter4/commit/e18120bff1da691e1d15ffc1bf553ae7411762c0","reference_id":"e18120bff1da691e1d15ffc1bf553ae7411762c0","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-07-28T17:19:03Z/"}],"url":"https://github.com/codeigniter4/CodeIgniter4/commit/e18120bff1da691e1d15ffc1bf553ae7411762c0"},{"reference_url":"https://github.com/advisories/GHSA-9952-gv64-x94c","reference_id":"GHSA-9952-gv64-x94c","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-9952-gv64-x94c"},{"reference_url":"https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-9952-gv64-x94c","reference_id":"GHSA-9952-gv64-x94c","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-07-28T17:19:03Z/"}],"url":"https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-9952-gv64-x94c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/378518?format=json","purl":"pkg:composer/codeigniter4/framework@4.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-jdsk-9fw6-buhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/codeigniter4/framework@4.6.2"}],"aliases":["CVE-2025-54418","GHSA-9952-gv64-x94c"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kqy2-2nun-27cn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/124426?format=json","vulnerability_id":"VCID-p6ns-5khc-77au","summary":"CodeIgniter is a PHP full-stack web framework. Prior to 4.5.8, CodeIgniter lacked proper header validation for its name and value. The potential attacker can construct deliberately malformed headers with Header class. This could disrupt application functionality, potentially causing errors or generating invalid HTTP requests. In some cases, these malformed requests might lead to a DoS scenario if a remote service’s web application firewall interprets them as malicious and blocks further communication with the application. This vulnerability is fixed in 4.5.8.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-24013","reference_id":"","reference_type":"","scores":[{"value":"0.00191","scoring_system":"epss","scoring_elements":"0.41132","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00191","scoring_system":"epss","scoring_elements":"0.40966","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-24013"},{"reference_url":"https://github.com/codeigniter4/CodeIgniter4","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/codeigniter4/CodeIgniter4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-24013","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-24013"},{"reference_url":"https://github.com/codeigniter4/CodeIgniter4/commit/5f8aa24280fb09947897d6b322bf1f0e038b13b6","reference_id":"5f8aa24280fb09947897d6b322bf1f0e038b13b6","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-21T14:50:53Z/"}],"url":"https://github.com/codeigniter4/CodeIgniter4/commit/5f8aa24280fb09947897d6b322bf1f0e038b13b6"},{"reference_url":"https://github.com/advisories/GHSA-wxmh-65f7-jcvw","reference_id":"GHSA-wxmh-65f7-jcvw","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-21T14:50:53Z/"}],"url":"https://github.com/advisories/GHSA-wxmh-65f7-jcvw"},{"reference_url":"https://github.com/advisories/GHSA-x5mq-jjr3-vmx6","reference_id":"GHSA-x5mq-jjr3-vmx6","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-x5mq-jjr3-vmx6"},{"reference_url":"https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-x5mq-jjr3-vmx6","reference_id":"GHSA-x5mq-jjr3-vmx6","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-21T14:50:53Z/"}],"url":"https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-x5mq-jjr3-vmx6"},{"reference_url":"https://datatracker.ietf.org/doc/html/rfc7230#section-3.2","reference_id":"rfc7230#section-3.2","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-21T14:50:53Z/"}],"url":"https://datatracker.ietf.org/doc/html/rfc7230#section-3.2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/377082?format=json","purl":"pkg:composer/codeigniter4/framework@4.5.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-jdsk-9fw6-buhu"},{"vulnerability":"VCID-kqy2-2nun-27cn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/codeigniter4/framework@4.5.8"}],"aliases":["CVE-2025-24013","GHSA-x5mq-jjr3-vmx6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p6ns-5khc-77au"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/codeigniter4/framework@4.3.2"}