CVE-2026-48062

CVE-2026-48062: CodeIgniter4 File Upload Extension Validation Bypass (ext_in Rule)

Initial Access Execution Persistence Last updated:

CVE-2026-48062 affects CodeIgniter4 framework versions prior to 4.7.2. The `ext_in` validation rule fails to properly validate file extensions during upload, allowing attackers to bypass extension restrictions and upload arbitrary files including web shells or malicious executables. This unrestricted file upload vulnerability (CWE-434) has a CVSS score of 9.8 and a public proof-of-concept. Successful exploitation can lead to remote code execution on the hosting server.

Vulnerability Intelligence

Public PoC

Affected Software

Vendor
composer
Product
codeigniter4/framework
Versions
< 4.7.2

Weakness (CWE)

CWE-434

Timeline

Disclosed
June 11, 2026

CVSS

9.8
Critical (9.0–10)
Read the write-up →

What is CVE-2026-48062 CVE-2026-48062: CodeIgniter4 File Upload Extension Validation Bypass (ext_in Rule)?

CVE-2026-48062: CodeIgniter4 File Upload Extension Validation Bypass (ext_in Rule) (CVE-2026-48062) maps to the Initial Access and Execution and Persistence tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for CVE-2026-48062: CodeIgniter4 File Upload Extension Validation Bypass (ext_in Rule), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel, DeviceFileEvents, DeviceProcessEvents. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence
Microsoft Sentinel / Defender
kusto 
union DeviceFileEvents, DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where DeviceId in (
    (DeviceFileEvents
    | where FolderPath has_any ("writable", "uploads", "tmp", "cache", "CodeIgniter")
    | where FileName has_any (".php", ".phtml", ".php5", ".php7", ".phar", ".shtml", ".pht")
    | distinct DeviceId)
)
| where ActionType in ("FileCreated", "FileModified", "ProcessCreated")
| extend FilePath = strcat(FolderPath, "\\", FileName)
| where FilePath has_any ("uploads", "writable", "public", "assets")
| project TimeGenerated, DeviceName, DeviceId, ActionType, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName
| order by TimeGenerated desc

Detects suspicious file creation events where PHP or executable script files are written to web-accessible upload directories, which may indicate exploitation of the CodeIgniter4 ext_in validation bypass.

critical severity medium confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel DeviceFileEvents DeviceProcessEvents

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

  • Legitimate PHP application deployments or updates to upload directories
  • Automated content management systems writing PHP-based templates to upload paths
  • Developer activity placing scripts in writable directories during testing
  • Backup or migration tools restoring PHP files to web-accessible paths

Sigma rule & cross-platform mapping

The detection logic for CVE-2026-48062: CodeIgniter4 File Upload Extension Validation Bypass (ext_in Rule) (CVE-2026-48062) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-48062 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-48062

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-21 Research depth: standard
References (6)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate CodeIgniter4 ext_in Bypass via Crafted Multipart Upload

    Expected signal: HTTP POST to upload endpoint with Content-Type image/jpeg but .php file extension; file creation event in upload directory for a .php file; web server process as the initiating process for the file write

  2. Test 2Web Shell Execution Verification After Upload

    Expected signal: HTTP GET requests to PHP file path in upload directory; process tree showing web server (apache2/nginx/php-fpm) spawning shell or system binaries (id, whoami, uname); network connections to external IP if reverse shell payload used

  3. Test 3Filesystem Reconnaissance via Uploaded Web Shell

    Expected signal: Process events for cat, ls, find spawned by php-fpm or apache2 with web server UID; file read events on /etc/passwd and .env files initiated by web server process; auditd SYSCALL records for execve by www-data user

Unlock Pro Content

Get the full detection package for CVE-2026-48062 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1190Exploit Public-Facing ApplicationT1505.003Web ShellT1059.004Unix Shell

Same Tactic: Initial Access

Popular Detections