Vulnerability Description
CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1.
CVSS Score
5.4
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cakephp | Cakephp | >= 5.2.10, < 5.2.12 |
Related Weaknesses (CWE)
References
- https://bakery.cakephp.org/2026/01/14/cakephp_5212.htmlProductRelease Notes
- https://github.com/cakephp/cakephp/commit/c842e7f45d85696e6527d8991dd72f525ced95Patch
- https://github.com/cakephp/cakephp/issues/19172Issue Tracking
- https://github.com/cakephp/cakephp/releases/tag/5.2.12ProductRelease Notes
- https://github.com/cakephp/cakephp/releases/tag/5.3.1ProductRelease Notes
- https://github.com/cakephp/cakephp/security/advisories/GHSA-qh8m-9qxx-53m5Vendor Advisory
FAQ
What is CVE-2026-23643?
CVE-2026-23643 is a vulnerability with a CVSS score of 5.4 (MEDIUM). CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed...
How severe is CVE-2026-23643?
CVE-2026-23643 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-23643?
Check the references section above for vendor advisories and patch information. Affected products include: Cakephp Cakephp.