CVE-2026-23643

Vulnerability

CVE-2026-23643

CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1.

References

launchpad.net/ubuntu-cve-tracker: https://bakery.cakephp.org/2026/01/14/cakephp_5212.html
launchpad.net/ubuntu-cve-tracker: https://github.com/cakephp/cakephp/commit/c842e7f45d85696e6527d8991dd72f525ced955f
launchpad.net/ubuntu-cve-tracker: https://github.com/cakephp/cakephp/issues/19172
launchpad.net/ubuntu-cve-tracker: https://github.com/cakephp/cakephp/releases/tag/5.2.12
launchpad.net/ubuntu-cve-tracker: https://github.com/cakephp/cakephp/releases/tag/5.3.1
launchpad.net/ubuntu-cve-tracker: https://github.com/cakephp/cakephp/security/advisories/GHSA-qh8m-9qxx-53m5
launchpad.net/ubuntu-cve-tracker: https://www.cve.org/CVERecord?id=CVE-2026-23643

severitym

medium

type: vendor

source: launchpad.net/ubuntu-cve-tracker

published: 2026-01-16 21:15:00

Detection

No detection criteria available for this vulnerability.

Data Sources

Ubuntu CVE Tracker
ubuntu-cve-tracker
- raw: ghcr.io/vulsio/vuls-data-db:vuls-data-raw-ubuntu-cve-tracker
- extracted: ghcr.io/vulsio/vuls-data-db:vuls-data-extracted-ubuntu-cve-tracker

FutureVuls|GitHub