CVE-2022-31114: CVE-2022-31114: Reflected Cross-Site Scripting in Laravel Backpack Error Views

#security #cve #cybersecurity

CVE-2022-31114: Reflected Cross-Site Scripting in Laravel Backpack Error Views

Vulnerability ID: CVE-2022-31114
CVSS Score: 5.1
Published: 2026-06-03

CVE-2022-31114 is a Reflected Cross-Site Scripting (XSS) vulnerability affecting the popular administrative panel package 'backpack/crud'. The flaw is rooted in the unsafe, raw rendering of PHP exception messages within the default error templates. When an unescaped exception message reflects malicious user-provided input, arbitrary JavaScript can execute within an administrator's browser session.

TL;DR

Unescaped exception messages in Laravel Backpack's default error views allow attackers to execute arbitrary JavaScript in the context of an authenticated administrator via crafted links.

Technical Details

CWE ID: CWE-79
Vulnerability Class: Reflected Cross-Site Scripting (XSS)
CVSS v4.0 Score: 5.1
Attack Vector: Network (AV:N)
Exploit Status: None / Unproven
CISA KEV Status: Not Listed

Affected Systems

Laravel applications running backpack/crud package versions below 5.0.13, 4.1.69, or 4.0.63
backpack/crud: >= 5.0.0, < 5.0.13 (Fixed in: 5.0.13)
backpack/crud: >= 4.1.0, < 4.1.69 (Fixed in: 4.1.69)
backpack/crud: < 4.0.63 (Fixed in: 4.0.63)

Mitigation Strategies

Update backpack/crud dependency to patched versions
Execute 'php artisan backpack:fix' to clean published views
Implement Content Security Policy (CSP) restricting inline scripts
Ensure HttpOnly and SameSite flags are configured on session cookies

Remediation Steps:

Run 'composer update backpack/crud' to retrieve the latest secure package
Execute 'php artisan backpack:fix' in the application environment to clean locally published error templates
Verify that resources/views/errors/ templates do not contain raw exception message output