Skip to main content

CodeIgniter 4.7.3

Release Date: May 22, 2026

Breaking: CodeIgniter 4.7.3 Is Here

CodeIgniter 4.7.3 ships today, May 22, 2026. This is a maintenance release focused on security hardening and bug fixes.

Security Fix

  • File upload validation bypass patched -- The ext_in validation rule now validates the client filename extension AND verifies it matches the detected MIME type. Previously, only the MIME-derived guessed extension was checked. Severity: High. Credits to @z3moo and @teebow1e for reporting.

Bug Fixes

  • Autoloader composer path injectable -- fixes parallel test race condition
  • SPL closures stored in register() so unregister() can remove them
  • Output buffer properly closed after command() usage
  • Validation::getValidated() now preserves null values
  • CLI::write() and CLI::error() behavior refactored for consistency
  • env command no longer throws when called with options only
  • stty stderr leak suppressed in CLI::generateDimensions() when stdin is not a TTY
  • Kint CSP state reset in worker mode
  • Time::createFromTimestamp made locale-independent
  • SQLSRV driver decrement() method fixed
  • tput stderr leak suppressed when TERM is not present
  • Third-party loggers now supported in toolbar logs collector
  • PostgreSQL Builder increment() and decrement() fixed for numeric columns
  • Cached table list shape preserved
  • Regex matching hardened on key:generate command
  • Deep dot-notation traversal restored in Language::getLine()
  • frankenphp-worker.php template made idempotent on watcher restart
  • Entity::normalizeValue() handles UnitEnum before toArray()
  • zlib output compression value properly recognized
  • --host option escaped in serve command

Refactoring

  • Full test coverage added for logs:clear, debugbar:clear, and cache:clear commands
  • routes command -h option renamed to --handler then further to --sort-by-handler
  • FileLocator::listFiles() simplified
  • PHPStan baseline reduced across child return types and callable signatures
  • --do-not-cache-result flag passed to prevent shared cache corruption

Upgrade now via Composer: composer update codeigniter4/framework --with-dependencies

What is New?

By continuing to use the site, you agree to the use of cookies.