Description
backpack/crud provides Create, Read, Update & Delete (CRUD) functions for Backpack, a collection of Laravel packages that help users build custom administration panels. Versions prior to 5.0.13, 4.1.69, and 4.0.63 are vulnerable to cross-site scripting. An attacker could conduct a targeted phishing campaign, in order to trick users or admins into clicking a malicious link, which under very specific circumstances could give them information or possibly admin access. Versions 5.0.13, 4.1.69, and 4.0.63 patch the issue. As a workaround, manually look inside error views in `resources/views/errors` and output `e($exception->getMessage())` instead of `$exception->getMessage()`.
Published: 2026-06-03
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Backpack‑CRUD, a package for the Laravel framework, was found to allow attackers to inject malicious script content into error views that are rendered to users. The flaw is a classic reflected cross‑site scripting weakness (CWE‑79) that can disclose sensitive information or provide administrative access when a victim follows a crafted link. The impact is confined to users or admins viewing a back‑office page that displays an unescaped exception message.

Affected Systems

The vulnerability exists in Backpack‑CRUD versions prior to 5.0.13, 4.1.69, and 4.0.63. Administrators running any of these older releases are exposed, while versions 5.0.13, 4.1.69, and 4.0.63 contain the fix.

Risk and Exploitability

The CVSS base score of 5.1 indicates a moderate severity. The EPSS score is not available, but the vulnerability is not listed in the CISA KEV catalog. Attackers would need to entice a user or administrator to click a specially crafted link that triggers the vulnerable exception handling path. The breach requires a user‑initiated action, making exposure dependent on targeted phishing or social engineering.

Generated by OpenCVE AI on June 3, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Backpack‑CRUD to at least version 5.0.13, 4.1.69, or 4.0.63, depending on the major release in use.
  • If a patch cannot be applied immediately, modify the templates in resources/views/errors to escape exception messages by replacing $exception->getMessage() with e($exception->getMessage()).
  • Confirm that the application does not expose raw exception messages to end users and review the error handling configuration to block direct script injection.

Generated by OpenCVE AI on June 3, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2022-54108
Github GHSA Github GHSA GHSA-m8xx-3x29-84h8 backpack/crud is vulnerable to Cross-Site Scripting (XSS)
History

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Laravel-backpack
Laravel-backpack crud
Vendors & Products Laravel-backpack
Laravel-backpack crud

Wed, 03 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description backpack/crud provides Create, Read, Update & Delete (CRUD) functions for Backpack, a collection of Laravel packages that help users build custom administration panels. Versions prior to 5.0.13, 4.1.69, and 4.0.63 are vulnerable to cross-site scripting. An attacker could conduct a targeted phishing campaign, in order to trick users or admins into clicking a malicious link, which under very specific circumstances could give them information or possibly admin access. Versions 5.0.13, 4.1.69, and 4.0.63 patch the issue. As a workaround, manually look inside error views in `resources/views/errors` and output `e($exception->getMessage())` instead of `$exception->getMessage()`.
Title backpack/crud Vulnerable to Cross-site Scripting
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Laravel-backpack Crud
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-03T16:01:22.313Z

Reserved: 2022-05-18T18:37:25.429Z

Link: CVE-2022-31114

cve-icon Vulnrichment

Updated: 2026-06-03T16:01:19.401Z

cve-icon NVD

Status : Deferred

Published: 2026-06-03T16:16:18.597

Modified: 2026-06-04T16:18:41.697

Link: CVE-2022-31114

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:11:31Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')