Skip to main content

Cakephp

8 CVEs product

Monthly

CVE-2026-48820 PHP MEDIUM PATCH GHSA This Month

Local file inclusion in CakePHP's View::_getElementFileName() allows remote attackers to include arbitrary PHP files from the server filesystem when applications render view elements using user-controlled data. Affected versions span multiple major release lines across 4.x and 5.x branches, with patched releases now available from the vendor. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; however, the developer-pattern dependency — user input passed unsanitized into element names — limits but does not eliminate real-world risk.

PHP Information Disclosure LFI Cakephp
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-23643 PHP MEDIUM PATCH This Month

CakePHP versions prior to 5.2.12 and 5.3.1 contain a stored cross-site scripting vulnerability in the PaginatorHelper::limitControl() method that allows unauthenticated attackers to inject malicious scripts through query string parameters. An attacker can exploit this to steal session cookies, perform unauthorized actions, or redirect users to malicious sites. The vulnerability requires user interaction to trigger but affects all installations using the vulnerable PaginatorHelper component.

Red Hat Cakephp
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2023-22727 PHP CRITICAL PATCH Act Now

CakePHP is a development framework for PHP web apps. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

PHP SQLi Cakephp
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2020-15400 PHP MEDIUM PATCH This Month

CakePHP before 4.0.6 mishandles CSRF token generation. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS CSRF Cakephp
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2019-11458 PHP HIGH PATCH This Week

An issue was discovered in SmtpTransport in CakePHP 3.7.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Cakephp
NVD GitHub
CVSS 3.0
7.5
EPSS
2.0%
CVE-2016-4793 PHP HIGH POC PATCH This Week

The clientIp function in CakePHP 3.2.4 and earlier allows remote attackers to spoof their IP via the CLIENT-IP HTTP header. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Cakephp
NVD Exploit-DB VulDB
CVSS 3.0
7.5
EPSS
8.3%
CVE-2015-8379 PHP HIGH POC PATCH This Week

CakePHP 2.x and 3.x before 3.1.5 might allow remote attackers to bypass the CSRF protection mechanism via the _method parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Cakephp
NVD GitHub
CVSS 3.0
8.8
EPSS
0.1%
CVE-2012-4399 PHP HIGH POC PATCH THREAT Act Now

The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 24.9%.

XXE Cakephp
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
24.9%
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Local file inclusion in CakePHP's View::_getElementFileName() allows remote attackers to include arbitrary PHP files from the server filesystem when applications render view elements using user-controlled data. Affected versions span multiple major release lines across 4.x and 5.x branches, with patched releases now available from the vendor. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; however, the developer-pattern dependency — user input passed unsanitized into element names — limits but does not eliminate real-world risk.

PHP Information Disclosure LFI +1
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

CakePHP versions prior to 5.2.12 and 5.3.1 contain a stored cross-site scripting vulnerability in the PaginatorHelper::limitControl() method that allows unauthenticated attackers to inject malicious scripts through query string parameters. An attacker can exploit this to steal session cookies, perform unauthorized actions, or redirect users to malicious sites. The vulnerability requires user interaction to trigger but affects all installations using the vulnerable PaginatorHelper component.

Red Hat Cakephp
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

CakePHP is a development framework for PHP web apps. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

PHP SQLi Cakephp
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

CakePHP before 4.0.6 mishandles CSRF token generation. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS CSRF Cakephp
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in SmtpTransport in CakePHP 3.7.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Cakephp
NVD GitHub
EPSS 8% CVSS 7.5
HIGH POC PATCH This Week

The clientIp function in CakePHP 3.2.4 and earlier allows remote attackers to spoof their IP via the CLIENT-IP HTTP header. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Cakephp
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

CakePHP 2.x and 3.x before 3.1.5 might allow remote attackers to bypass the CSRF protection mechanism via the _method parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Cakephp
NVD GitHub
EPSS 25% CVSS 7.5
HIGH POC PATCH THREAT Act Now

The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 24.9%.

XXE Cakephp
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy