Cross-Site Scripting in CakePHP's PaginatorHelper Affects Users
CVE-2026-23643

5.4MEDIUM

Key Information:

Vendor

CakePHP

Status
CakePHP
Vendor
CVE Published:
16 January 2026

What is CVE-2026-23643?

The CakePHP framework is susceptible to a cross-site scripting vulnerability in the PaginatorHelper::limitControl() method due to improper handling of query string parameters. This flaw can potentially allow attackers to inject malicious scripts into web applications that use this framework. As a result, end-users may face compromised security and privacy. To remediate this issue, users are encouraged to upgrade to CakePHP version 5.2.12 or 5.3.1, which contain the necessary patches.

Affected Version(s)

cakephp >= 5.2.10, < 5.2.12 < 5.2.10, 5.2.12

cakephp >= 5.3.0, < 5.3.1 < 5.3.0, 5.3.1

References

https://github.com/cakephp/cakephp/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/cakephp/cakephp/issues/19172
x_refsource_MISC
https://github.com/cakephp/cakephp/commit/c842e7f45d85696...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.