diff --git a/CHANGELOG.md b/CHANGELOG.md
index efb902c3dcdf..0f8cbd59deb0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,53 @@
# Changelog
+## [v4.7.3](https://github.com/codeigniter4/CodeIgniter4/tree/v4.7.3) (2026-05-22)
+[Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.7.2...v4.7.3)
+
+### Security
+
+* **Validation**: *Uploaded file extension validation bypass in `ext_in` rule*
+ The ``ext_in`` file upload validation rule now validates the client filename extension and verifies that it
+ matches the detected MIME type. Previously, ``ext_in`` only checked the MIME-derived guessed extension, so
+ a file with a mismatched client extension could pass validation.
+
+ See the [GHSA-2gr4-ppc7-7mhx security advisory](https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-2gr4-ppc7-7mhx) for more information. Credits to @z3moo and @teebow1e for reporting the issue.
+
+### Fixed Bugs
+
+* fix: make Autoloader composer path injectable to fix parallel test race condition by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/10082
+* fix: store SPL closures in `register()` so `unregister()` can remove them by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/10097
+* fix: ensure output buffer is closed after use of `command()` by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10099
+* fix: preserve null values in Validation::getValidated() by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/10101
+* fix: refactor inconsistent behavior on `CLI::write()` and `CLI::error()` by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10106
+* fix: ensure calling `env` command with options only would not throw by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10114
+* fix: suppress stty stderr leak in `CLI::generateDimensions()` when stdin is not a TTY by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10124
+* fix: reset Kint CSP state in worker mode by @memleakd in https://github.com/codeigniter4/CodeIgniter4/pull/10139
+* fix: make `Time::createFromTimestamp` locale-independent by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/10151
+* fix: SQLSRV driver's `decrement()` method by @patel-vansh in https://github.com/codeigniter4/CodeIgniter4/pull/10155
+* fix: suppress tput stderr leak when TERM is not present by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10167
+* fix: support third-party loggers in toolbar logs collector by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/10173
+* fix: PostgreSQL Builder's `increment()` and `decrement()` methods not working for numeric columns by @patel-vansh in https://github.com/codeigniter4/CodeIgniter4/pull/10172
+* fix: preserve cached table list shape by @memleakd in https://github.com/codeigniter4/CodeIgniter4/pull/10179
+* fix: harden regex matching on `key:generate` command by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10183
+* fix: restore deep dot-notation traversal in `Language::getLine()` by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10189
+* fix: make frankenphp-worker.php template idempotent on watcher restart by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10191
+* fix: `Entity::normalizeValue()` must handle `UnitEnum` before `toArray()` by @maniaba in https://github.com/codeigniter4/CodeIgniter4/pull/10137
+* fix: recognize off zlib output compression value by @memleakd in https://github.com/codeigniter4/CodeIgniter4/pull/10193
+* fix: escape `--host` option in `serve` command by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10203
+
+### Refactoring
+
+* refactor: add full testing for `logs:clear` command by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10090
+* refactor: add full testing for `debugbar:clear` command by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10093
+* refactor: pass `--do-not-cache-result` to prevent shared cache corruption by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/10098
+* refactor: add full testing for `cache:clear` command by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10094
+* refactor: rename `-h` option of `routes` command as `--handler` by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10113
+* refactor: further rename `--handler` to `--sort-by-handler` for `routes` by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10125
+* refactor: UX: `ClearLogs::execute()` error message is misleading after interactive `'n'` by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10126
+* refactor: simplify `FileLocator::listFiles()` by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10142
+* refactor: reduce PHPStan child return type baseline by @memleakd in https://github.com/codeigniter4/CodeIgniter4/pull/10165
+* refactor: remove PHPStan callable signature baseline by @memleakd in https://github.com/codeigniter4/CodeIgniter4/pull/10166
+
## [v4.7.2](https://github.com/codeigniter4/CodeIgniter4/tree/v4.7.2) (2026-03-24)
[Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.7.1...v4.7.2)
diff --git a/phpdoc.dist.xml b/phpdoc.dist.xml
index f5a5f247f456..33101eeaa704 100644
--- a/phpdoc.dist.xml
+++ b/phpdoc.dist.xml
@@ -10,7 +10,7 @@
api/cache/
-
+ system
diff --git a/system/CodeIgniter.php b/system/CodeIgniter.php
index dcc8fd33ede9..66fe9d0b4983 100644
--- a/system/CodeIgniter.php
+++ b/system/CodeIgniter.php
@@ -55,7 +55,7 @@ class CodeIgniter
/**
* The current version of CodeIgniter Framework
*/
- public const CI_VERSION = '4.7.3-dev';
+ public const CI_VERSION = '4.7.3';
/**
* App startup time.
diff --git a/user_guide_src/source/changelogs/v4.7.3.rst b/user_guide_src/source/changelogs/v4.7.3.rst
index ccc1b70c22df..1d232e1ae0ae 100644
--- a/user_guide_src/source/changelogs/v4.7.3.rst
+++ b/user_guide_src/source/changelogs/v4.7.3.rst
@@ -2,7 +2,7 @@
Version 4.7.3
#############
-Release Date: Unreleased
+Release Date: May 22, 2026
**4.7.3 release of CodeIgniter4**
@@ -21,10 +21,6 @@ SECURITY
See the `Security advisory GHSA-2gr4-ppc7-7mhx `_
for more information.
-********
-BREAKING
-********
-
***************
Message Changes
***************
@@ -39,10 +35,6 @@ Changes
The old ``-h`` option will continue to work until v4.8.0, at which point it will be removed and repurposed as a shortcut for ``--help``.
A warning message is displayed when using the old ``-h`` option to encourage users to switch to the new ``--sort-by-handler`` option.
-************
-Deprecations
-************
-
**********
Bugs Fixed
**********
diff --git a/user_guide_src/source/conf.py b/user_guide_src/source/conf.py
index 24e23f22aafa..d7f994c7a943 100644
--- a/user_guide_src/source/conf.py
+++ b/user_guide_src/source/conf.py
@@ -26,7 +26,7 @@
version = '4.7'
# The full version, including alpha/beta/rc tags.
-release = '4.7.2'
+release = '4.7.3'
# -- General configuration ---------------------------------------------------
diff --git a/user_guide_src/source/installation/upgrade_473.rst b/user_guide_src/source/installation/upgrade_473.rst
index 13962bc802e0..6e832a7a3d08 100644
--- a/user_guide_src/source/installation/upgrade_473.rst
+++ b/user_guide_src/source/installation/upgrade_473.rst
@@ -44,10 +44,6 @@ validation. If your application intentionally accepts such files, remove
``ext_in`` from those validation rules and use a custom validation rule that
matches your application's requirements.
-*********************
-Breaking Enhancements
-*********************
-
*************
Project Files
*************
@@ -68,7 +64,10 @@ and it is recommended that you merge the updated versions with your application:
Config
------
-- @TODO
+- app/Config/Database.php
+- app/Config/Events.php
+- app/Config/Routes.php
+- app/Config/View.php
All Changes
===========
@@ -76,4 +75,7 @@ All Changes
This is a list of all files in the **project space** that received changes;
many will be simple comments or formatting that have no effect on the runtime:
-- @TODO
+- app/Config/Database.php
+- app/Config/Events.php
+- app/Config/Routes.php
+- app/Config/View.php