CodeIgniter Vulnerability Exposes Million of Webapps to File Upload Attacks

The flaw, classified under CWE-78 (OS Command Injection), affects all CodeIgniter4 applications running versions prior to 4.6.2 that utilize the ImageMagick library for image processing operations. The vulnerability was published to the GitHub Advisory Database on July 28, 2025, and has been assigned critical severity due to its potential for complete system compromise. The vulnerability, tracked as CVE-2025-54418, received a CVSS score of 9.8, indicating the highest severity level and immediate risk to affected systems. The vulnerability manifests through two primary attack vectors within applications that use the ImageMagick handler (imagick as the image library). The second vector targets the text() method, where malicious content or options provided by users can result in command execution when adding text overlays to images. This type of vulnerability is particularly concerning because it bypasses traditional input validation mechanisms that focus on file content rather than metadata like filenames. CodeIgniter4 developers have released version 4.6.2 as an emergency patch to address this critical vulnerability. Critical vulnerability in CodeIgniter4 <4.6.2 ImageMagick handler. The CVSS v3.1 vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates maximum impact across confidentiality, integrity, and availability.

This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 29 Jul 2025 14:15:15 +0000

Cyber News related to CodeIgniter Vulnerability Exposes Million of Webapps to File Upload Attacks

CVE-2020-10793 - CodeIgniter through 4.0.0 allows remote attackers to gain privileges via a modified Email ID to the "Select Role of the User" page. NOTE: A contributor to the CodeIgniter framework argues that the issue should not be attributed to ...
4 years ago

9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
2 years ago Esecurityplanet.com

Cybersecurity Industry Gains $1.7 Billion to Develop Cutting-Edge Protection Technologies - As digital threats grow in sophistication, the cybersecurity sector has ignited a funding frenzy, with startups raising $1.7 billion in April 2025 alone ahead of the RSA Conference in San Francisco. As banks and fintechs face a 40% spike in ...
7 months ago Cybersecuritynews.com

Misconfigured Firebase Instances Expose 125 Million User Records - Hundreds of websites misconfigured Google Firebase, leaking more than 125 million user records, including plaintext passwords, security researchers warn. It all started with the hacking of Chattr, the AI hiring system that serves multiple ...
1 year ago Securityweek.com

T-Mobile pays $31.5 million FCC settlement over 4 data breaches - "With companies like T-Mobile and other telecom service providers operating in a space where national security and consumer protection interests overlap, we are focused on ensuring critical technical changes are made to telecommunications networks to ...
1 year ago Bleepingcomputer.com

British retailer M&S reportedly set to claim £100 million from insurers after cyberattack | The Record from Recorded Future News - As first reported by the Financial Times newspaper, the attack driving the insurance claim may have cost M&S more than £60 million (about $79.7 million) to date based just on the loss of its daily online sales. Although the estimate can’t ...
7 months ago Therecord.media Dragonforce

CVE-2023-4760 - In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component. ...
2 years ago

BlackBerry Provides Update on Progress in Separation of Divisions and Path to Profitability - PRESS RELEASE. WATERLOO, Ontario, Feb. 12, 2024 /PRNewswire/ - BlackBerry Limited today provided an update on the previously announced process to separate its IoT and Cybersecurity businesses as standalone divisions, and drive the Company towards ...
1 year ago Darkreading.com

China's MIIT Proposes Color-coded Contingency Plan for Security Incidents - On Friday, China proposed a four-tier classification system, in an effort to address data security incidents, underscoring concerns of Beijing in regards to the widespread data leaks and hacking incidents in the country. This emergency plan comes ...
2 years ago Cysecurity.news

Biden's budget proposal boosts CISA's funding to $3b The Register - US President Joe Biden has asked Congress to approve an extra $103 million in funding for the Cybersecurity and Infrastructure Security Agency, bringing CISA's total budget to $3 billion. Biden proposed his $7.3 trillion spending plan for fiscal year ...
1 year ago Go.theregister.com

TikTok fined €530 million for sending European user data to China - The Irish Data Protection Commission (DPC) has fined TikTok €530 million (over $601 million) for illegally transferring the personal data of users in the European Economic Area (EEA) to China, violating the European Union's GDPR data protection ...
7 months ago Bleepingcomputer.com

CodeIgniter Vulnerability Exposes Million of Webapps to File Upload Attacks - The flaw, classified under CWE-78 (OS Command Injection), affects all CodeIgniter4 applications running versions prior to 4.6.2 that utilize the ImageMagick library for image processing operations. The vulnerability was published to the GitHub ...
4 months ago Cybersecuritynews.com CVE-2025-54418

CVE-2021-28163 - In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps ...
3 years ago

CVE-2013-1055 - The unity-firefox-extension package could be tricked into dropping a C callback which was still in use, which Firefox would then free, causing Firefox to crash. This could be achieved by adding an action to the launcher and updating it with new ...
4 years ago

The year of Mega Ransomware attacks with unprecedented impact on global organizations - A Staggering 1 in every 10 organizations worldwide hit by attempted Ransomware attacks in 2023, surging 33% from previous year, when 1 in every 13 organisations received ransomware attacks Throughout 2023, organizations around the world have each ...
1 year ago Blog.checkpoint.com

23andMe confirms nearly 7 million customers affected in data leak - Nearly 7 million 23andMe customers had their profile data leaked in a cybersecurity incident in October, a company spokesperson confirmed to SC Media on Monday. The vast majority of the leaked data was scraped from the site's DNA Relatives feature ...
2 years ago Packetstormsecurity.com

Why every company needs a DDoS response plan - Today's DDoS attacks are not what they were even a few years ago, and we continue to see DDoS attacks that are framed as the largest in history. As a result, large organizations need adaptive, multilayered defense capabilities that can respond just ...
1 year ago Helpnetsecurity.com

Police dismantles investment fraud ring stealing €10 million - “They persuaded their victims to make fake investments through a network of fake advisors and experts, manipulated websites, and telephone call centers,” the police says. In organized operations like the one dismantled by the Spanish ...
5 months ago Bleepingcomputer.com

Hacker returns cryptocurrency stolen from GMX exchange after $5 million bounty payment | The Record from Recorded Future News - Last year, a man behind a $110 million theft from defunct crypto platform Mango Markets was convicted in federal court despite having negotiated with the platform to return the funds. The person behind the theft began transferring the funds in $5 ...
5 months ago Therecord.media

A Critical Remote Code Execution(RCE) Vulnerability in Apache Struts2 Flaw Puts Your Web Apps at Risk - The web development world is constantly on guard against security threats, and a recent discovery in the popular Apache Struts2 framework serves as a stark reminder. This critical vulnerability, known as CVE-2023-50164, exposes a serious flaw that ...
2 years ago Securityboulevard.com CVE-2023-50164

The Rise of DDoS Attacks in Q3, 2023: Are You Prepared? - The Indusface AppSec Q3, 2023 Report reveals a staggering 67% surge in DDoS attacks compared to the previous quarter, highlighting a concerning trend with profound impacts on various industries. Over 41% of websites have shown signs of DDoS attacks ...
2 years ago Cybersecuritynews.com CVE-2023-44487 Cloak

The State of DDoS Attacks: Evolving Tactics and Targets Businesses Must Be Aware Of - Now, these attacks are becoming more dangerous, targeted, and detrimental as they evolve. As DDoS attacks become more sophisticated, adversaries are able to hone in on the most vulnerable targets, ranging from small- and medium-sized businesses to ...
1 year ago Cyberdefensemagazine.com

Vulnerability Summary for the Week of January 15, 2024 - This vulnerability affected all versions of GitHub Enterprise Server and was fixed in versions 3.11.3, 3.10.5, 3.9.8, and 3.8.13 This vulnerability was reported via the GitHub Bug Bounty program. Successful attacks require human interaction from a ...
1 year ago Cisa.gov

Welltok data breach exposes data of 8.5 million US patients - Healthcare SaaS provider Welltok is warning that a data breach exposed the personal data of nearly 8.5 million patients in the U.S. after a file transfer program used by the company was hacked in a data theft attack. Welltok works with health service ...
2 years ago Bleepingcomputer.com

The Rise of Ransomware - Strategies to Protect Your Systems - As attackers refine their tactics-from triple extortion schemes to exploiting supply chain vulnerabilities-businesses must adopt proactive, multilayered defense strategies to safeguard critical infrastructure and data. In 2024, a North American ...
7 months ago Cybersecuritynews.com Akira LockBit Rocke