CodeIgniter 4.7.3
Breaking: CodeIgniter 4.7.3 Is Here
CodeIgniter 4.7.3 ships today, May 22, 2026. This is a maintenance release focused on security hardening and bug fixes.
Security Fix
- File upload validation bypass patched -- The
ext_invalidation rule now validates the client filename extension AND verifies it matches the detected MIME type. Previously, only the MIME-derived guessed extension was checked. Severity: High. Credits to @z3moo and @teebow1e for reporting.
Bug Fixes
- Autoloader composer path injectable -- fixes parallel test race condition
- SPL closures stored in
register()sounregister()can remove them - Output buffer properly closed after
command()usage Validation::getValidated()now preserves null valuesCLI::write()andCLI::error()behavior refactored for consistencyenvcommand no longer throws when called with options only- stty stderr leak suppressed in
CLI::generateDimensions()when stdin is not a TTY - Kint CSP state reset in worker mode
Time::createFromTimestampmade locale-independent- SQLSRV driver
decrement()method fixed - tput stderr leak suppressed when TERM is not present
- Third-party loggers now supported in toolbar logs collector
- PostgreSQL Builder
increment()anddecrement()fixed for numeric columns - Cached table list shape preserved
- Regex matching hardened on
key:generatecommand - Deep dot-notation traversal restored in
Language::getLine() - frankenphp-worker.php template made idempotent on watcher restart
Entity::normalizeValue()handlesUnitEnumbeforetoArray()- zlib output compression value properly recognized
--hostoption escaped inservecommand
Refactoring
- Full test coverage added for
logs:clear,debugbar:clear, andcache:clearcommands routescommand-hoption renamed to--handlerthen further to--sort-by-handlerFileLocator::listFiles()simplified- PHPStan baseline reduced across child return types and callable signatures
--do-not-cache-resultflag passed to prevent shared cache corruption
Upgrade now via Composer: composer update codeigniter4/framework --with-dependencies