CodeIgniter 4 ext_in Validation Bypass via MIME Extension

The `ext_in` upload validation rule used the MIME-derived guessed extension instead of the client-provided filename extension, allowing files like `shell.php` with GIF content to pass validation.

Applications using CodeIgniter 4 that accept user uploads, rely on `ext_in` for extension validation, save files with original client filename, store uploads in web-accessible directories, and allow PHP execution there.

Upgrade to v4.7.3 or later. If unable, apply workarounds: save uploads outside public web root, use random filenames, disable script execution in upload directories, manually verify client extension, or reject mismatched extensions.