DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-23643: Let Them Eat XSS: Breaking CakePHP's PaginatorHelper

#security #cve #cybersecurity

Let Them Eat XSS: Breaking CakePHP's PaginatorHelper

Vulnerability ID: CVE-2026-23643
CVSS Score: 5.4
Published: 2026-01-16

A deep dive into a Reflected Cross-Site Scripting vulnerability in CakePHP's PaginatorHelper. By injecting malicious JavaScript into query parameter keys, attackers can exploit a flaw in how the framework preserves state during pagination, leading to arbitrary code execution in the victim's browser.

TL;DR

CakePHP's PaginatorHelper tries to be helpful by automatically generating hidden form fields to preserve your current search filters when you change the page limit. Unfortunately, it trusted the parameter names (keys) too much. By injecting a payload into the URL query key, an attacker can break out of the HTML attribute and execute JavaScript. Fixed in 5.2.12 and 5.3.1.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network (Reflected)
  • CVSS: 5.4 (Medium)
  • Bug Class: Input Validation Error
  • Component: PaginatorHelper
  • Exploit Status: PoC Available

Affected Systems

  • CakePHP Framework 5.2.x (before 5.2.12)
  • CakePHP Framework 5.3.x (before 5.3.1)
  • Applications using PaginatorHelper::limitControl()
  • CakePHP: >= 5.2.10, < 5.2.12 (Fixed in: 5.2.12)
  • CakePHP: >= 5.3.0, < 5.3.1 (Fixed in: 5.3.1)

Code Analysis

Commit: c842e7f

Fix XSS in limitControl by escaping field names

- $out .= $this->Form->hidden($fieldName, ['value' => $value]);
+ $out .= $this->Form->hidden(h($fieldName), ['value' => $value]);
Enter fullscreen mode Exit fullscreen mode

Commit: b6765ff

Ensure limit is an integer

- 'value' => $this->_View->getRequest()->getQuery('limit'),
+ 'value' => $limit !== null ? (int)$limit : null,
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Issue: Original bug report demonstrating the XSS via limitControl

Mitigation Strategies

  • Update CakePHP framework immediately.
  • Audit custom helpers that generate HTML attributes from array keys.
  • Implement strict Content Security Policy (CSP) to block inline scripts.

Remediation Steps:

  1. Check your current version: composer show cakephp/cakephp
  2. Run composer update cakephp/cakephp to pull version 5.2.12+ or 5.3.1+
  3. Verify the update by checking vendor/cakephp/cakephp/src/View/Helper/PaginatorHelper.php for the h($fieldName) change.

References

Read the full report for CVE-2026-23643 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)