Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-dq2u-p7ju-6yfd
Vulnerability ID VCID-dq2u-p7ju-6yfd
Aliases CVE-2023-32692
GHSA-m6m8-6gq8-c9fj
GMS-2023-1562
Summary CodeIgniter is a PHP full-stack web framework. This vulnerability allows attackers to execute arbitrary code when you use Validation Placeholders. The vulnerability exists in the Validation library, and validation methods in the controller and in-model validation are also vulnerable because they use the Validation library internally. This issue is patched in version 4.3.5.
Status Published
Exploitability 0.5
Weighted Severity 9.0
Risk 4.5
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.01956 https://api.first.org/data/v1/epss?cve=CVE-2023-32692
epss 0.01956 https://api.first.org/data/v1/epss?cve=CVE-2023-32692
epss 0.01956 https://api.first.org/data/v1/epss?cve=CVE-2023-32692
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-m6m8-6gq8-c9fj
cvssv3.1 9.8 https://github.com/codeigniter4/CodeIgniter4
generic_textual CRITICAL https://github.com/codeigniter4/CodeIgniter4
cvssv3.1 9.8 https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md
generic_textual CRITICAL https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md
ssvc Track https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md
cvssv3.1 9.8 https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md#v435-2023-05-21
generic_textual CRITICAL https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md#v435-2023-05-21
cvssv3.1 9.8 https://github.com/codeigniter4/CodeIgniter4/commit/6af677177fa1d9ad62f7a793bc96cba3068632ba
generic_textual CRITICAL https://github.com/codeigniter4/CodeIgniter4/commit/6af677177fa1d9ad62f7a793bc96cba3068632ba
cvssv3.1 9.8 https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-m6m8-6gq8-c9fj
cvssv3.1_qr CRITICAL https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-m6m8-6gq8-c9fj
generic_textual CRITICAL https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-m6m8-6gq8-c9fj
ssvc Track https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-m6m8-6gq8-c9fj
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2023-32692
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2023-32692
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-32692
https://github.com/codeigniter4/CodeIgniter4
https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md#v435-2023-05-21
https://github.com/codeigniter4/CodeIgniter4/commit/6af677177fa1d9ad62f7a793bc96cba3068632ba
https://nvd.nist.gov/vuln/detail/CVE-2023-32692
CHANGELOG.md https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md
GHSA-m6m8-6gq8-c9fj https://github.com/advisories/GHSA-m6m8-6gq8-c9fj
GHSA-m6m8-6gq8-c9fj https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-m6m8-6gq8-c9fj
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/codeigniter4/CodeIgniter4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-10T20:38:34Z/ Found at https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md#v435-2023-05-21
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/codeigniter4/CodeIgniter4/commit/6af677177fa1d9ad62f7a793bc96cba3068632ba
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-m6m8-6gq8-c9fj
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-10T20:38:34Z/ Found at https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-m6m8-6gq8-c9fj
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-32692
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.8387
EPSS Score 0.01956
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:26:47.842741+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2023/32xxx/CVE-2023-32692.json 38.6.0