backpack/crud Vulnerable to Cross-site Scripting
CVE-2022-31114

5.1MEDIUM

Key Information:

Vendor: Laravel-backpack
Status: Crud
Vendor: CVE Published:; 3 June 2026

🔔 Create Laravel-backpack Vulnerability Alert

What is CVE-2022-31114?

backpack/crud provides Create, Read, Update & Delete (CRUD) functions for Backpack, a collection of Laravel packages that help users build custom administration panels. Versions prior to 5.0.13, 4.1.69, and 4.0.63 are vulnerable to cross-site scripting. An attacker could conduct a targeted phishing campaign, in order to trick users or admins into clicking a malicious link, which under very specific circumstances could give them information or possibly admin access. Versions 5.0.13, 4.1.69, and 4.0.63 patch the issue. As a workaround, manually look inside error views in resources/views/errors and output e($exception->getMessage()) instead of $exception->getMessage().

Affected Version(s)

CRUD >= 5.0.0, < 5.0.13 < 5.0.0, 5.0.13

CRUD >= 4.0.0, < 4.1.69 < 4.0.0, 4.1.69

CRUD < 4.0.63 < 4.0.63

References

https://github.com/Laravel-Backpack/CRUD/security/advisor...

x_refsource_CONFIRM

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2026
Vulnerability Reserved
May 18, 2022

CVE-2022-31114 Data

JSON