Description
CakePHP is a rapid development framework for PHP. In versions 4.5.11 and earlier, 4.6.0 through 4.6.3, 5.0.0 through 5.1.6, 5.2.0 through 5.2.12, and 5.3.0 through 5.3.5, View::_getElementFileName() does not check that the resolved element path is within the application/plugin view template paths. When element names are created with specifically crafted user-supplied data this weakness can be leveraged to include other PHP files on the server. Patched releases are available in 5.3.6, 5.2.13, 5.1.7, 4.6.4, and 4.5.11.
Published: 2026-06-17
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the View::_getElementFileName() method of CakePHP, which fails to confirm that a resolved element file lies within the intended application or plugin view template directories. When an attacker supplies a specially crafted element name, this flaw can lead to the inclusion of arbitrary PHP files on the server. Such inclusion can enable the attacker to execute arbitrary code, violating the confidentiality, integrity, and availability of the application environment. The weakness is classified as CWE-22 (Path Traversal) and CWE-98 (Relative Path Traversal).

Affected Systems

CakePHP framework versions 4.5.11 and earlier, 4.6.0 through 4.6.3, 5.0.0 through 5.1.6, 5.2.0 through 5.2.12, and 5.3.0 through 5.3.5 are affected. Patched releases are available in 4.5.11, 4.6.4, 5.1.7, 5.2.13, and 5.3.6.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity, and the EPSS score of less than 1% signals a very low likelihood of exploitation at present. The flaw is not listed in CISA’s Known Exploited Vulnerabilities catalog. The most probable attack vector involves an attacker supplying a malicious element name through a user‑controlled request, thereby bypassing the path containment check and triggering file inclusion. With the ability to execute arbitrary PHP, the attacker may gain full control of the application.

Generated by OpenCVE AI on June 18, 2026 at 19:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update CakePHP to the patched versions listed above (4.5.11, 4.6.4, 5.1.7, 5.2.13, 5.3.6).
  • If an upgrade is not immediately feasible, validate or sanitize all element names so that only allowed characters (e.g., alphanumeric and underscores) are accepted before passing them to the view renderer.
  • Confirm that the application’s configuration restricts dynamic element inclusion to a whitelist of approved directories or templates, thereby preventing arbitrary file paths from being resolved.

Generated by OpenCVE AI on June 18, 2026 at 19:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description CakePHP is a rapid development framework for PHP. In versions 4.5.11 and earlier, 4.6.0 through 4.6.3, 5.0.0 through 5.1.6, 5.2.0 through 5.2.12, and 5.3.0 through 5.3.5, View::_getElementFileName() does not check that the resolved element path is within the application/plugin view template paths. When element names are created with specifically crafted user-supplied data this weakness can be leveraged to include other PHP files on the server. Patched releases are available in 5.3.6, 5.2.13, 5.1.7, 4.6.4, and 4.5.11.
Title CakePHP: View::element() is missing a path containment check
Weaknesses CWE-22
CWE-98
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T13:54:12.069Z

Reserved: 2026-05-22T20:57:10.977Z

Link: CVE-2026-48820

cve-icon Vulnrichment

Updated: 2026-06-18T13:52:36.625Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:15:02Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')