Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-q87f-r6t7-5qhk
Vulnerability ID VCID-q87f-r6t7-5qhk
Aliases CVE-2022-24712
GHSA-4v37-24gm-h554
Summary CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A vulnerability in versions prior to 4.1.9 might allow remote attackers to bypass the CodeIgniter4 Cross-Site Request Forgery (CSRF) protection mechanism. Users should upgrade to version 4.1.9. There are workarounds for this vulnerability, but users will still need to code as these after upgrading to v4.1.9. Otherwise, the CSRF protection may be bypassed. If auto-routing is enabled, check the request method in the controller method before processing. If auto-routing is disabled, either avoid using `$routes->add()` and instead use HTTP verbs in routes; or check the request method in the controller method before processing.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-352 Cross-Site Request Forgery (CSRF)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00076 https://api.first.org/data/v1/epss?cve=CVE-2022-24712
epss 0.00076 https://api.first.org/data/v1/epss?cve=CVE-2022-24712
epss 0.00076 https://api.first.org/data/v1/epss?cve=CVE-2022-24712
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-4v37-24gm-h554
cvssv3.1 6.3 https://github.com/codeigniter4/CodeIgniter4/blob/7dc2ece32401ebde67122f7d2460efcaee7c352e/user_guide_src/source/changelogs/v4.1.9.rst
generic_textual MODERATE https://github.com/codeigniter4/CodeIgniter4/blob/7dc2ece32401ebde67122f7d2460efcaee7c352e/user_guide_src/source/changelogs/v4.1.9.rst
ssvc Track https://github.com/codeigniter4/CodeIgniter4/blob/7dc2ece32401ebde67122f7d2460efcaee7c352e/user_guide_src/source/changelogs/v4.1.9.rst
cvssv3.1 6.3 https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-4v37-24gm-h554
cvssv3.1_qr MODERATE https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-4v37-24gm-h554
generic_textual MODERATE https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-4v37-24gm-h554
ssvc Track https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-4v37-24gm-h554
cvssv3.1 6.3 https://nvd.nist.gov/vuln/detail/CVE-2022-24712
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2022-24712
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-24712
CVE-2022-24712 https://nvd.nist.gov/vuln/detail/CVE-2022-24712
GHSA-4v37-24gm-h554 https://github.com/advisories/GHSA-4v37-24gm-h554
GHSA-4v37-24gm-h554 https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-4v37-24gm-h554
v4.1.9.rst https://github.com/codeigniter4/CodeIgniter4/blob/7dc2ece32401ebde67122f7d2460efcaee7c352e/user_guide_src/source/changelogs/v4.1.9.rst
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L Found at https://github.com/codeigniter4/CodeIgniter4/blob/7dc2ece32401ebde67122f7d2460efcaee7c352e/user_guide_src/source/changelogs/v4.1.9.rst
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:09:51Z/ Found at https://github.com/codeigniter4/CodeIgniter4/blob/7dc2ece32401ebde67122f7d2460efcaee7c352e/user_guide_src/source/changelogs/v4.1.9.rst
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L Found at https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-4v37-24gm-h554
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:09:51Z/ Found at https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-4v37-24gm-h554
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2022-24712
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.22885
EPSS Score 0.00076
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:41:20.101089+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2022/24xxx/CVE-2022-24712.json 38.6.0