{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23643", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-14T16:08:37.483Z", "datePublished": "2026-01-16T20:38:45.170Z", "dateUpdated": "2026-01-16T21:21:56.372Z"}, "containers": {"cna": {"title": "CakePHP PaginatorHelper::limitControl() vulnerable to reflected cross-site-scripting", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/cakephp/cakephp/security/advisories/GHSA-qh8m-9qxx-53m5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cakephp/cakephp/security/advisories/GHSA-qh8m-9qxx-53m5"}, {"name": "https://github.com/cakephp/cakephp/issues/19172", "tags": ["x_refsource_MISC"], "url": "https://github.com/cakephp/cakephp/issues/19172"}, {"name": "https://github.com/cakephp/cakephp/commit/c842e7f45d85696e6527d8991dd72f525ced955f", "tags": ["x_refsource_MISC"], "url": "https://github.com/cakephp/cakephp/commit/c842e7f45d85696e6527d8991dd72f525ced955f"}, {"name": "https://bakery.cakephp.org/2026/01/14/cakephp_5212.html", "tags": ["x_refsource_MISC"], "url": "https://bakery.cakephp.org/2026/01/14/cakephp_5212.html"}, {"name": "https://github.com/cakephp/cakephp/releases/tag/5.2.12", "tags": ["x_refsource_MISC"], "url": "https://github.com/cakephp/cakephp/releases/tag/5.2.12"}, {"name": "https://github.com/cakephp/cakephp/releases/tag/5.3.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/cakephp/cakephp/releases/tag/5.3.1"}], "affected": [{"vendor": "cakephp", "product": "cakephp", "versions": [{"version": ">= 5.2.10, < 5.2.12", "status": "affected"}, {"version": ">= 5.3.0, < 5.3.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-16T20:38:45.170Z"}, "descriptions": [{"lang": "en", "value": "CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1."}], "source": {"advisory": "GHSA-qh8m-9qxx-53m5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-16T21:21:32.578620Z", "id": "CVE-2026-23643", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T21:21:56.372Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23643", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-16T21:21:32.578620Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T21:21:48.383Z"}}], "cna": {"title": "CakePHP PaginatorHelper::limitControl() vulnerable to reflected cross-site-scripting", "source": {"advisory": "GHSA-qh8m-9qxx-53m5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "cakephp", "product": "cakephp", "versions": [{"status": "affected", "version": ">= 5.2.10, < 5.2.12"}, {"status": "affected", "version": ">= 5.3.0, < 5.3.1"}]}], "references": [{"url": "https://github.com/cakephp/cakephp/security/advisories/GHSA-qh8m-9qxx-53m5", "name": "https://github.com/cakephp/cakephp/security/advisories/GHSA-qh8m-9qxx-53m5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/cakephp/cakephp/issues/19172", "name": "https://github.com/cakephp/cakephp/issues/19172", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/cakephp/cakephp/commit/c842e7f45d85696e6527d8991dd72f525ced955f", "name": "https://github.com/cakephp/cakephp/commit/c842e7f45d85696e6527d8991dd72f525ced955f", "tags": ["x_refsource_MISC"]}, {"url": "https://bakery.cakephp.org/2026/01/14/cakephp_5212.html", "name": "https://bakery.cakephp.org/2026/01/14/cakephp_5212.html", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/cakephp/cakephp/releases/tag/5.2.12", "name": "https://github.com/cakephp/cakephp/releases/tag/5.2.12", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/cakephp/cakephp/releases/tag/5.3.1", "name": "https://github.com/cakephp/cakephp/releases/tag/5.3.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-16T20:38:45.170Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23643", "state": "PUBLISHED", "dateUpdated": "2026-01-16T21:21:56.372Z", "dateReserved": "2026-01-14T16:08:37.483Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-16T20:38:45.170Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cakephp:cakephp:*:*:*:*:*:*:*:*", "matchCriteriaId": "DACDDE3A-55B3-43F0-A030-07372FDEC42B", "versionEndExcluding": "5.2.12", "versionStartIncluding": "5.2.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:cakephp:cakephp:5.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "56DEA383-8A1A-47C5-B1B9-BB4FEF91024D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1."}], "id": "CVE-2026-23643", "lastModified": "2026-02-23T20:51:11.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-16T21:15:51.543", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://bakery.cakephp.org/2026/01/14/cakephp_5212.html"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/cakephp/cakephp/commit/c842e7f45d85696e6527d8991dd72f525ced955f"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/cakephp/cakephp/issues/19172"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/cakephp/cakephp/releases/tag/5.2.12"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/cakephp/cakephp/releases/tag/5.3.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/cakephp/cakephp/security/advisories/GHSA-qh8m-9qxx-53m5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:01:00.249647+00:00", "value": {"mitigation_remediation": ["Upgrade the CakePHP installation to version 5.2.12 or later; if using the 5.3 branch, upgrade to 5.3.1 or later.", "Implement proper output encoding for any dynamic pagination limits in your application\u2019s views to mitigate future regressions.", "Review any custom modifications to the PaginatorHelper::limitControl() to ensure they do not reintroduce unsanitized output."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The flaw affects CakePHP, version 5.2.x and 5.3.x. Versions 5.2.12 and 5.3.1 contain the fix. The affected product is the CakePHP framework used in PHP web applications, particularly any installation that processes pagination limits via the limitControl helper.", "description_and_impact": "This vulnerability arises in the PaginatorHelper::limitControl() method when a query string parameter is used directly in output without proper sanitization. The flaw permits an attacker to insert malicious script code that will be reflected back to the browser, enabling cross\u2011site scripting attacks. The immediate consequence is the compromise of the victim\u2019s browser session, potential credential theft or defacement.", "risk_and_exploitability": "The CVSS score of 5.4 denotes moderate risk, and the EPSS score of less than 1% indicates a very low likelihood that the vulnerability is being actively exploited. The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation. Attackers could exploit the flaw by crafting a malicious URL containing JavaScript payloads in the limit parameter, which would be shown to other users clicking the link. Successful exploitation would allow an attacker to run arbitrary client\u2011side scripts in the context of a victim\u2019s session, but it does not lead to remote code execution or server compromise."}}}}, "created": "2026-01-19T09:19:45.537928+00:00", "updated": "2026-04-18T16:15:04.591702+00:00", "vendors": ["cakephp", "cakephp$PRODUCT$cakephp"]}