CVE-2026-23643: CakePHP PaginatorHelper::limitControl() vulnerable to reflected cross-site-scripting
The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation.
References
- bakery.cakephp.org/2026/01/14/cakephp_5212.html
- github.com/advisories/GHSA-qh8m-9qxx-53m5
- github.com/cakephp/cakephp
- github.com/cakephp/cakephp/commit/c842e7f45d85696e6527d8991dd72f525ced955f
- github.com/cakephp/cakephp/issues/19172
- github.com/cakephp/cakephp/releases/tag/5.2.12
- github.com/cakephp/cakephp/releases/tag/5.3.1
- github.com/cakephp/cakephp/security/advisories/GHSA-qh8m-9qxx-53m5
- nvd.nist.gov/vuln/detail/CVE-2026-23643
Code Behaviors & Features
Detect and mitigate CVE-2026-23643 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →