Shells in Your Selfies: CodeIgniter 4 ImageMagick RCE
Jan 1, 2026·5 min read·6 visits
Executive Summary (TL;DR)
CodeIgniter 4 versions before 4.6.2 failed to sanitize inputs when wrapping the ImageMagick CLI. By uploading an image with a carefully crafted filename or using the text overlay feature, an attacker can break out of the command string and execute arbitrary shell commands on the server.
A critical OS Command Injection vulnerability in CodeIgniter 4's ImageMagick handler allows unauthenticated attackers to achieve Remote Code Execution (RCE) via malicious filenames or text overlays.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
CodeIgniter 4 CodeIgniter Foundation | < 4.6.2 | 4.6.2 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-78 (OS Command Injection) |
| CVSS v3.1 | 9.8 (Critical) |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| Impact | Remote Code Execution (RCE) |
MITRE ATT&CK Mapping
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.