Critical severity9.8NVD Advisory· Published Sep 19, 2017· Updated May 13, 2026

CVE-2014-8686

Description

CodeIgniter before 2.2.0 makes it easier for attackers to decode session cookies by leveraging fallback to a custom XOR-based encryption scheme when the Mcrypt extension for PHP is not available.

Affected products

Codeigniter/Codeigniter
cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:*
Range: <=2.1.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

beyondbinary.io/articles/seagate-nas-rce/nvdExploitThird Party Advisory
packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.htmlnvdThird Party AdvisoryVDB Entry
codeigniter.com/userguide2/changelog.htmlnvdVendor Advisory
www.dionach.com/blog/codeigniter-session-decoding-vulnerabilitynvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.027
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000