CVE-2025-45406

Published: Jul 25, 2025

Modified: Jul 29, 2025

PUBLISHED

Description

A stored cross-site scripting (XSS) vulnerability in CodeIgniter4 v4.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the debugbar_time parameter. NOTE: this is disputed by the Supplier because attackers cannot influence the value of debugbar_time, and because debugbar-related data is automatically escaped by the CodeIgniter Parser class.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://nvd.nist.gov/vuln/detail/CVE-2020-15943

https://github.com/advisories/GHSA-7h5r-54mm-w4pq

https://www.exploit-db.com/exploits/50556

https://medium.com/@talktoshweta0/when-debugging-bites-back-exposing-a-persistent-xss-in-codeigniter4-c9caf804a190

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-45406

Description

Affected Products

References