CVE-2026-23643

CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1.

Published Jan 19, 2026

https://github.com/cakephp/cakephp/issues/19172 https://github.com/advisories/GHSA-qh8m-9qxx-53m5

CVSS ScoreMedium

5.3

Ecosystem	Package	Version

Ecosystem	Package	Version

Vulnerabilities

CVE-2026-23643

CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1.

Published Jan 19, 2026

https://github.com/cakephp/cakephp/issues/19172 https://github.com/advisories/GHSA-qh8m-9qxx-53m5

CVSS ScoreMedium

5.3


composer	cakephp/cakephp	5.2.10
composer	cakephp/cakephp	5.2.11
composer	cakephp/cakephp	5.3.0

Ecosystem	Package	Version


composer	cakephp/cakephp	5.2.10
composer	cakephp/cakephp	5.2.11
composer	cakephp/cakephp	5.3.0

Find vulnerabilities. Fix fast with AI.

CVE-2026-23643

CVE-2026-23643