CVE-2020-26138
Description
In SilverStripe through 4.6.0-rc1, a FormField with square brackets in the field name skips validation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In SilverStripe through 4.6.0-rc1, a FormField with square brackets in the field name skips validation, allowing data validation bypass.
Vulnerability
In SilverStripe versions through 4.6.0-rc1, a FormField with square brackets in the field name (e.g., field[]) causes the framework to skip validation for that field. This occurs because PHP interprets the field name as an array, and the validation logic does not properly handle array-type field names [1][2].
Exploitation
An attacker can craft a form submission where a field name includes square brackets, bypassing server-side validation. No authentication is required if the form is publicly accessible; otherwise, the attacker needs to submit a form they have access to. The attacker simply appends [] to the field name in the HTTP request payload [2].
Impact
Successful exploitation allows the attacker to submit invalid or malicious data that would otherwise be rejected by validation. This could lead to data corruption, injection attacks, or other unintended behavior depending on the form's processing logic. The confidentiality and availability of the system are not directly compromised, but integrity of submitted data is undermined [1][2].
Mitigation
SilverStripe has released a fix in versions after 4.6.0-rc1. Users should upgrade to SilverStripe 4.6.0 or later. As a workaround, developers can manually validate fields with square brackets in custom code or ensure that field names do not contain square brackets [2]. No known KEV listing.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
silverstripe/frameworkPackagist | >= 3.0.0, < 4.7.4 | 4.7.4 |
Affected products
3- SilverStripe/SilverStripedescription
- osv-coords2 versions
< 4.6.0+ 1 more
- (no CPE)range: < 4.6.0
- (no CPE)range: >= 3.0.0, < 4.7.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-7mv4-4xpg-xq44ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-26138ghsaADVISORY
- forum.silverstripe.org/c/releasesmitrex_refsource_MISC
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2020-26138.yamlghsaWEB
- www.silverstripe.org/blog/tag/releasemitrex_refsource_MISC
- www.silverstripe.org/download/security-releases/mitrex_refsource_CONFIRM
- www.silverstripe.org/download/security-releases/cve-2020-26138ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.