5.4

CVE-2026-23643

CakePHP PaginatorHelper::limitControl() vulnerable to reflected cross-site-scripting

CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CakephpCakephp Version >= 5.2.10 < 5.2.12
CakephpCakephp Version5.3.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.25% 0.163
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 5.4 2.8 2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/cakephp/cakephp/security/advisories/GHSA-qh8m-9qxx-53m5
Vendor Advisory
https://github.com/cakephp/cakephp/issues/19172
Issue Tracking
https://github.com/cakephp/cakephp/commit/c842e7f45d85696e6527d8991dd72f525ced955f
Patch
https://bakery.cakephp.org/2026/01/14/cakephp_5212.html
Product
Release Notes
https://github.com/cakephp/cakephp/releases/tag/5.2.12
Product
Release Notes
https://github.com/cakephp/cakephp/releases/tag/5.3.1
Product
Release Notes