Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Codeigniter Number Of NVD 37 CRITICAL 21 HIGH 6 MEDIUM 8 LOW 1
URL https://www.codeigniter.com/
Explanation It is a free and open MVC model web framework for quick development of PHP.
It is one of the oldest and most widely used PHP frameworks, and since version 3, it has been licensed under the MIT license, which solves the licensing problem.
Tag
  • MIT License
  • PHP
Add Information URL
No Type Name URL
1 https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md
2 https://www.codeigniter.com/userguide3/changelog.html
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
21 CodeIgniter 4 4.7.2 March 24, 2026 Feb. 24, 2020 4 5 2 0
22 CodeIgniter 3 3.1.13 March 4, 2022 March 30, 2015 15 4 0 0
23 CodeIgniter 2 2.2.5 Oct. 31, 2015 6 3 2 0
24 CodeIgniter 1 1.7.2 Jan. 1, 2000 6 3 6 1
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
21 9.8
7.5 		CRITICAL
Network 		CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. Prior to version 4.1.9, an improper input validation vulnerability allows attackers to execute CLI routes via HTTP reque… CWE-20
 Improper Input Validation  		CVE-2022-24711 cpe:2.3:a:codeigniter:codeigniter:*:* 4.0.0 4.1.9 2024-11-21 15:50
2022-03-1 		Show GitHub Exploit DB Packet Storm
22 6.1
4.3 		MEDIUM
Network 		CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Atta… CWE-79
Cross-site Scripting 		CVE-2022-21715 cpe:2.3:a:codeigniter:codeigniter:*:* 4.0.0 4.1.8 2024-11-21 15:45
2022-01-25 		Show GitHub Exploit DB Packet Storm
23 9.8
7.5 		CRITICAL
Network 		CodeIgniter is an open source PHP full-stack web framework. Deserialization of Untrusted Data was found in the `old()` function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary ob… CWE-502
 Deserialization of Untrusted Data 		CVE-2022-21647 cpe:2.3:a:codeigniter:codeigniter:*:* 4.0.0 4.1.6 2024-11-21 15:45
2022-01-5 		Show GitHub Exploit DB Packet Storm
24 8.8
6.5 		HIGH
Network 		CodeIgniter through 4.0.0 allows remote attackers to gain privileges via a modified Email ID to the "Select Role of the User" page. NOTE: A contributor to the CodeIgniter framework argues that the is… CWE-269
 Improper Privilege Management 		CVE-2020-10793 cpe:2.3:a:codeigniter:codeigniter:*:* 4.0.0 2024-11-21 13:56
2020-03-24 		Show GitHub Exploit DB Packet Storm
25 6.1
4.3 		MEDIUM
Network 		EllisLab CodeIgniter 2.1.2 allows remote attackers to bypass the xss_clean() Filter and perform XSS attacks. CWE-79
Cross-site Scripting 		CVE-2012-1915 cpe:2.3:a:codeigniter:codeigniter:*:* 2.1.2 2024-11-21 10:38
2020-01-10 		Show GitHub Exploit DB Packet Storm
26 9.8
7.5 		CRITICAL
Network 		A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled. CWE-384
 Session Fixation 		CVE-2018-12071 cpe:2.3:a:codeigniter:codeigniter:*:* 3.1.9 2024-11-21 12:44
2018-06-18 		Show GitHub Exploit DB Packet Storm
27 9.8
7.5 		CRITICAL
Network 		SQL injection vulnerability in the offset method in the Active Record class in CodeIgniter before 2.2.4 allows remote attackers to execute arbitrary SQL commands via vectors involving the offset vari… CWE-89
SQL Injection 		CVE-2015-5725 cpe:2.3:a:codeigniter:codeigniter:*:* 2.2.4 2024-11-21 11:33
2018-02-22 		Show GitHub Exploit DB Packet Storm
28 6.1
4.3 		MEDIUM
Network 		The xss_clean function in CodeIgniter before 2.1.4 might allow remote attackers to bypass an intended protection mechanism and conduct cross-site scripting (XSS) attacks via an unclosed HTML tag. CWE-79
Cross-site Scripting 		CVE-2013-4891 cpe:2.3:a:codeigniter:codeigniter:*:* 2.1.4 2024-11-21 10:56
2018-02-22 		Show GitHub Exploit DB Packet Storm
29 7.5
5.0 		HIGH
Network 		British Columbia Institute of Technology CodeIgniter 3.1.3 is vulnerable to HTTP Header Injection in the set_status_header() common function under Apache resulting in HTTP Header Injection flaws. CWE-20
 Improper Input Validation  		CVE-2017-1000247 cpe:2.3:a:codeigniter:codeigniter:3.1.3:* 2024-11-21 12:04
2017-11-17 		Show GitHub Exploit DB Packet Storm
30 9.8
5.0 		CRITICAL
Network 		CodeIgniter before 2.2.0 makes it easier for attackers to decode session cookies by leveraging fallback to a custom XOR-based encryption scheme when the Mcrypt extension for PHP is not available. CWE-310
Cryptographic Issues 		CVE-2014-8686 cpe:2.3:a:codeigniter:codeigniter:*:* 2.1.4 2024-11-21 11:19
2017-09-20 		Show GitHub Exploit DB Packet Storm