Moderate severityOSV Advisory· Published Jan 16, 2026· Updated Jan 16, 2026
CakePHP PaginatorHelper::limitControl() vulnerable to reflected cross-site-scripting
CVE-2026-23643
Description
CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cakephp/cakephpPackagist | >= 5.2.10, < 5.2.12 | 5.2.12 |
cakephp/cakephpPackagist | >= 5.3.0, < 5.3.1 | 5.3.1 |
Affected products
1Patches
1c842e7f45d85Fix missing HTML escaping in PaginatorHelper
2 files changed · +41 −1
src/View/Helper/PaginatorHelper.php+1 −1 modified@@ -1311,7 +1311,7 @@ protected function generateHiddenFields(array $data, string $prefix = ''): strin $out .= $this->generateHiddenFields($value, $fieldName); } else { // Generate hidden field for scalar values - $out .= $this->Form->hidden($fieldName, ['value' => $value]); + $out .= $this->Form->hidden(h($fieldName), ['value' => $value]); } }
tests/TestCase/View/Helper/PaginatorHelperTest.php+40 −0 modified@@ -3115,6 +3115,46 @@ public function testLimitControlUrlWithQuery(): void $this->assertHtml($expected, $out); } + /** + * test the limitControl() escapes query parameters + * + * @return void + */ + public function testLimitControlUrlWithQueryEscaping(): void + { + $request = new ServerRequest([ + 'url' => '/batches?page=2&xyz"/><script>alert(\'hi\')</script>xyz=hi', + 'params' => [ + 'plugin' => null, 'controller' => 'Batches', 'action' => 'index', 'pass' => [], + ], + 'query' => ['xyz"/><script>alert(\'hi\')</script>xyz' => 'hi'], + 'base' => '', + 'webroot' => '/', + ]); + Router::setRequest($request); + $this->View->setRequest($request); + $this->setPaginatedResult(['perPage' => 10, 'currentPage' => 2]); + + $out = $this->Paginator->limitControl([1 => 1]); + $expected = [ + ['form' => ['method' => 'get', 'accept-charset' => 'utf-8', 'action' => '/Batches/index']], + ['input' => ['type' => 'hidden', 'name' => 'xyz"/><script>alert('hi')</script>xyz', 'value' => 'hi']], + ['input' => ['type' => 'hidden', 'name' => 'page', 'value' => '1']], + ['div' => ['class' => 'input select']], + ['label' => ['for' => 'limit']], + 'View', + '/label', + ['select' => ['name' => 'limit', 'id' => 'limit', 'onChange' => 'this.form.requestSubmit()']], + ['option' => ['value' => '1']], + '1', + '/option', + '/select', + '/div', + '/form', + ]; + $this->assertHtml($expected, $out); + } + /** * test the limitControl() method with defaults and query */
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-qh8m-9qxx-53m5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-23643ghsaADVISORY
- bakery.cakephp.org/2026/01/14/cakephp_5212.htmlghsax_refsource_MISCWEB
- github.com/cakephp/cakephp/commit/c842e7f45d85696e6527d8991dd72f525ced955fghsax_refsource_MISCWEB
- github.com/cakephp/cakephp/issues/19172ghsax_refsource_MISCWEB
- github.com/cakephp/cakephp/releases/tag/5.2.12ghsax_refsource_MISCWEB
- github.com/cakephp/cakephp/releases/tag/5.3.1ghsax_refsource_MISCWEB
- github.com/cakephp/cakephp/security/advisories/GHSA-qh8m-9qxx-53m5ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.