VYPR
Moderate severityOSV Advisory· Published Jan 16, 2026· Updated Jan 16, 2026

CakePHP PaginatorHelper::limitControl() vulnerable to reflected cross-site-scripting

CVE-2026-23643

Description

CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
cakephp/cakephpPackagist
>= 5.2.10, < 5.2.125.2.12
cakephp/cakephpPackagist
>= 5.3.0, < 5.3.15.3.1

Affected products

2

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.