GHSA-w6jr-wj64-mc9x · Severity: high · Ecosystem: composer — Deserialization of Untrusted Data in Codeigniter4
CodeIgniter is an open source PHP full-stack web framework. Deserialization of Untrusted Data was found in the `old()` function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server. We are aware of a working exploit, which can lead to SQL injection. Users are advised to upgrade to v4.1.6 or later. Users unable to upgrade as advised to not use the `old()` function and form_helper nor `RedirectResponse::withInput()` and `redirect()->withInput()`.
Conclusion & alert: CVE-2022-21647 is rated High Risk (70.2/100): CVSS High severity, with high exploitation likelihood (EPSS 37.67%, 98th percentile). Core evidence: EPSS ranks this CVE among the most likely to be exploited in the near term. EPSS rose +27.73% over the last day, indicating growing attacker interest. Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 9.94% | 37.67% | +27.73% |
| 2 | 2026-03-17 | 10.87% | 9.94% | -0.93% |
| 3 | 2025-11-21 | — | 10.87% | — |
Full EPSS history (27 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.7 | 3.1 | HIGH |
|
2.2 | 5.5 | [email protected] |
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
| 7.5 | 2.0 | HIGH |
|
10.0 | 6.4 | [email protected] |
GHSA-w6jr-wj64-mc9x · Severity: high · Ecosystem: composer — Deserialization of Untrusted Data in Codeigniter4
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| codeigniter | codeigniter | >= 4.0.0, < 4.1.6 | cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/codeigniter4/CodeIgniter4/commit/ce95ed5765256e2f09f3513e7d42790e0d6948f5 | Patch Third Party Advisory |
| https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-w6jr-wj64-mc9x | Mitigation Third Party Advisory |