Skip to main content

Cakephp CVE-2026-23643

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-01-16 security-advisories@github.com GHSA-qh8m-9qxx-53m5
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Feb 23, 2026 - 20:51 nvd
Patch available
CVE Published
Jan 16, 2026 - 21:15 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1.

AnalysisAI

CakePHP versions prior to 5.2.12 and 5.3.1 contain a stored cross-site scripting vulnerability in the PaginatorHelper::limitControl() method that allows unauthenticated attackers to inject malicious scripts through query string parameters. An attacker can exploit this to steal session cookies, perform unauthorized actions, or redirect users to malicious sites. The vulnerability requires user interaction to trigger but affects all installations using the vulnerable PaginatorHelper component.

Technical ContextAI

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects the query string component of Cakephp. CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1.

RemediationAI

A vendor patch is available — apply it immediately. Fixed in version 5.2.12. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

Share

CVE-2026-23643 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy