CVE-2026-23643 — Cross-site Scripting in Cakephp

CWE-79 — Cross-site Scripting6 documents5 sources

Severity

5.4MEDIUMNVD

EPSS

0.0%

top 94.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cakephp Debian Cakephp

Timeline

PublishedJan 16

Description

CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages4 packages

▶NVDcakephp/cakephp5.2.10 — 5.2.12+1

▶Packagistcakephp/cakephp5.2.10 — 5.2.12+1

▶debiandebian/cakephp

▶CVEListV5cakephp/cakephp>= 5.2.10, < 5.2.12, >= 5.3.0, < 5.3.1+1

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

CakePHP PaginatorHelper::limitControl() vulnerable to reflected cross-site-scripting↗2026-01-16

▶

OSV

CakePHP PaginatorHelper::limitControl() vulnerable to reflected cross-site-scripting↗2026-01-16

▶

OSV

CVE-2026-23643: CakePHP is a rapid development framework for PHP↗2026-01-16

▶

📋Vendor Advisories

Debian

CVE-2026-23643: cakephp - CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitCont...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-23643 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶