Description
CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only.
References (3)
Core 3
Core References
Mitigation, Third Party Advisory x_refsource_confirm
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62
Patch, Third Party Advisory x_refsource_misc
https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd
Mitigation, Vendor Advisory x_refsource_misc
https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only
Scores
CVSS v3
5.4
EPSS
0.0037
EPSS Percentile
59.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
codeigniter/codeigniter
4.0.0 - 4.1.8
codeigniter4/framework
0 - 4.1.8Packagist
Published
Jan 24, 2022
Tracked Since
Feb 18, 2026