Description
CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1.
Published: 2026-01-16
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

This vulnerability arises in the PaginatorHelper::limitControl() method when a query string parameter is used directly in output without proper sanitization. The flaw permits an attacker to insert malicious script code that will be reflected back to the browser, enabling cross‑site scripting attacks. The immediate consequence is the compromise of the victim’s browser session, potential credential theft or defacement.

Affected Systems

The flaw affects CakePHP, version 5.2.x and 5.3.x. Versions 5.2.12 and 5.3.1 contain the fix. The affected product is the CakePHP framework used in PHP web applications, particularly any installation that processes pagination limits via the limitControl helper.

Risk and Exploitability

The CVSS score of 5.4 denotes moderate risk, and the EPSS score of less than 1% indicates a very low likelihood that the vulnerability is being actively exploited. The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation. Attackers could exploit the flaw by crafting a malicious URL containing JavaScript payloads in the limit parameter, which would be shown to other users clicking the link. Successful exploitation would allow an attacker to run arbitrary client‑side scripts in the context of a victim’s session, but it does not lead to remote code execution or server compromise.

Generated by OpenCVE AI on April 18, 2026 at 16:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CakePHP installation to version 5.2.12 or later; if using the 5.3 branch, upgrade to 5.3.1 or later.
  • Implement proper output encoding for any dynamic pagination limits in your application’s views to mitigate future regressions.
  • Review any custom modifications to the PaginatorHelper::limitControl() to ensure they do not reintroduce unsanitized output.

Generated by OpenCVE AI on April 18, 2026 at 16:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qh8m-9qxx-53m5 CakePHP PaginatorHelper::limitControl() vulnerable to reflected cross-site-scripting
History

Mon, 23 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:cakephp:cakephp:*:*:*:*:*:*:*:*
cpe:2.3:a:cakephp:cakephp:5.3.0:*:*:*:*:*:*:*

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Cakephp
Cakephp cakephp
Vendors & Products Cakephp
Cakephp cakephp

Fri, 16 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 20:45:00 +0000

Type Values Removed Values Added
Description CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1.
Title CakePHP PaginatorHelper::limitControl() vulnerable to reflected cross-site-scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Cakephp Cakephp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-16T21:21:56.372Z

Reserved: 2026-01-14T16:08:37.483Z

Link: CVE-2026-23643

cve-icon Vulnrichment

Updated: 2026-01-16T21:21:48.383Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-16T21:15:51.543

Modified: 2026-02-23T20:51:11.360

Link: CVE-2026-23643

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:15:04Z

Weaknesses