**Name of the Vulnerable Software and Affected Versions:**

CodeIgniter versions prior to 4.6.2

**Description:**

CodeIgniter is a PHP full-stack web framework susceptible to a command injection vulnerability. This issue affects applications utilizing the ImageMagick handler (`imagick`) for image processing and either allowing file uploads with user-controlled filenames processed with the `resize()` method or using the `text()` method with user-controlled text content or options. An attacker can exploit this by uploading a file with a malicious filename containing shell metacharacters, which are executed during image processing, or by providing malicious text content or options that are executed when adding text to images. Approximately 2,254,632 systems are potentially affected worldwide.

**Recommendations:**

Upgrade to version 4.6.2 or later.

As a workaround, switch to the GD image handler (`gd`), which is not affected.

For file upload scenarios, use `getRandomName()` with the `move()` method or the `store()` method to generate safe filenames instead of using user-provided filenames.

For text operations, sanitize user-controlled text input to allow only safe characters and validate/restrict text options.