CVE-2026-23643
📋 TL;DR
CVE-2026-23643 is a cross-site scripting (XSS) vulnerability in CakePHP's PaginatorHelper::limitControl() method that allows attackers to inject malicious scripts via query string parameters. This affects all CakePHP applications using the vulnerable pagination component. Attackers can execute arbitrary JavaScript in victims' browsers when they interact with manipulated pagination controls.
💻 Affected Systems
- CakePHP
📦 What is this software?
Cakephp by Cakephp
Cakephp by Cakephp
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal session cookies, perform actions as authenticated users, redirect to malicious sites, or deface web pages by injecting persistent malicious scripts.
Likely Case
Session hijacking, credential theft, or client-side attacks against users who interact with paginated content containing malicious query parameters.
If Mitigated
Limited impact with proper output encoding and Content Security Policy (CSP) headers, though the vulnerability still exists at the source.
🎯 Exploit Status
Exploitation requires user interaction with pagination controls containing malicious query parameters. No authentication needed as it's a client-side vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.2.12 or 5.3.1
Vendor Advisory: https://bakery.cakephp.org/2026/01/14/cakephp_5212.html
Restart Required: No
Instructions:
1. Update CakePHP to version 5.2.12 or 5.3.1 using composer: 'composer require cakephp/cakephp:5.2.12' or 'composer require cakephp/cakephp:5.3.1'. 2. Clear application cache if applicable. 3. Test pagination functionality.
🔧 Temporary Workarounds
Implement Output Encoding
allManually encode pagination query parameters in application templates before output.
In your template files, use h() function: <?= h($this->Paginator->limitControl()) ?>
Content Security Policy
allImplement strict CSP headers to mitigate XSS impact by restricting script execution sources.
Add to web server config or application headers: Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Disable or replace PaginatorHelper::limitControl() usage with custom pagination controls that properly encode output.
- Implement input validation and sanitization for all query string parameters in application middleware or controllers.
🔍 How to Verify
Check if Vulnerable:
Check CakePHP version in composer.json or run: php -r "echo Cake\Core\Configure::version();"Check Version:
php -r "require 'vendor/autoload.php'; echo Cake\Core\Configure::version();"Verify Fix Applied:
Confirm version is 5.2.12 or higher, or 5.3.1 or higher. Test pagination with malicious query parameters like '?limit=<script>alert(1)</script>' and verify no script execution.📡 Detection & Monitoring
Log Indicators:
- Unusual query parameters in pagination URLs containing script tags or JavaScript code
- Multiple failed pagination requests with malformed parameters
Network Indicators:
- HTTP requests with suspicious query strings in pagination endpoints
- Unexpected redirects from pagination pages
SIEM Query:
web.url:*limit=*script* OR web.url:*limit=*javascript*🔗 References
- https://bakery.cakephp.org/2026/01/14/cakephp_5212.html
- https://github.com/cakephp/cakephp/commit/c842e7f45d85696e6527d8991dd72f525ced955f
- https://github.com/cakephp/cakephp/issues/19172
- https://github.com/cakephp/cakephp/releases/tag/5.2.12
- https://github.com/cakephp/cakephp/releases/tag/5.3.1
- https://github.com/cakephp/cakephp/security/advisories/GHSA-qh8m-9qxx-53m5
