CVE-2025-45406

A stored cross-site scripting (XSS) vulnerability in CodeIgniter4 v4.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the debugbar_time parameter. NOTE: this is disputed by the Supplier because attackers cannot influence the value of debugbar_time, and because debugbar-related data is automatically escaped by the CodeIgniter Parser class.

Published: Jul 25, 2025
Updated: Jul 30, 2025
CVE: CVE-2025-45406
GHSA: GHSA-49jm-g4m8-x53p
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
codeigniter4 / framework	-	4.6.2.x

https://github.com/advisories/GHSA-7h5r-54mm-w4pq
https://github.com/codeigniter4/CodeIgniter4/blob/v4.6.2/system/Debug/Toolbar.php#L496
https://github.com/codeigniter4/framework/blob/v4.6.2/system/Debug/Toolbar.php#L496
https://medium.com/@talktoshweta0/when-debugging-bites-back-exposing-a-persistent-xss-in-codeigniter4-c9caf804a190
https://nvd.nist.gov/vuln/detail/CVE-2020-15943
https://www.exploit-db.com/exploits/50556

Vulnerability Database

CVE-2025-45406