Lucene search
K

309 matches found

NVD
NVD
added 5 days ago7 views

CVE-2026-55590

CakePHP Authentication is an authentication plugin for CakePHP that can also be used in PSR-7 based applications. Prior to 2.11.1, 3.3.6, and 4.1.1, the getLoginRedirect method contains a weakness to backslash bypasses that allows redirect targets with attacker-controlled hostnames through the...

6.1CVSS0.00578EPSS
Exploits0References10
Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-55590 CakePHP: Open redirect weakness via backslash bypass

CakePHP Authentication is an authentication plugin for CakePHP that can also be used in PSR-7 based applications. Prior to 2.11.1, 3.3.6, and 4.1.1, the getLoginRedirect method contains a weakness to backslash bypasses that allows redirect targets with attacker-controlled hostnames through the...

5.1CVSS0.00578EPSS
Exploits0References10
ATTACKERKB
ATTACKERKB
added 5 days ago6 views

CVE-2026-55590

CakePHP Authentication is an authentication plugin for CakePHP that can also be used in PSR-7 based applications. Prior to 2.11.1, 3.3.6, and 4.1.1, the getLoginRedirect method contains a weakness to backslash bypasses that allows redirect targets with attacker-controlled hostnames through the...

5.1CVSS5.9AI score0.00578EPSS
Exploits0References11Affected Software1
CVE
CVE
added 5 days ago29 views

CVE-2026-55590

The CVE-2026-55590 entry concerns the CakePHP Authentication plugin (CakePHP, PSR-7 compatible) with a backslash bypass in getLoginRedirect() that enables open redirects to attacker-controlled hostnames through the redirect query parameter. Affected versions: prior to 2.11.1, 3.3.6, and 4.1.1. Th...

6.1CVSS5.9AI score0.00578EPSS
Exploits0References10Affected Software1
EUVD
EUVD
added 2026/06/26 9:0 p.m.24 views

EUVD-2026-37807

CakePHP: View::element is missing a path containment check...

6.3CVSS5.8AI score0.00258EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/22 12:0 a.m.14 views

PT-2026-51293

Name of the Vulnerable Software and Affected Versions MISP affected versions not specified Description Multiple core controllers and model capture paths accept client-controlled request fields, including primary keys id and ownership or scope foreign keys such as event id, org id, user id, sharin...

9.4CVSS6AI score0.00362EPSS
Exploits0References21
NVD
NVD
added 2026/06/17 10:16 p.m.16 views

CVE-2026-48820

CakePHP is a rapid development framework for PHP. In versions 4.5.11 and earlier, 4.6.0 through 4.6.3, 5.0.0 through 5.1.6, 5.2.0 through 5.2.12, and 5.3.0 through 5.3.5, View::getElementFileName does not check that the resolved element path is within the application/plugin view template paths...

6.3CVSS0.00258EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/17 9:19 p.m.25 views

CVE-2026-48820 CakePHP: View::element() is missing a path containment check

CakePHP is a rapid development framework for PHP. In versions 4.5.11 and earlier, 4.6.0 through 4.6.3, 5.0.0 through 5.1.6, 5.2.0 through 5.2.12, and 5.3.0 through 5.3.5, View::getElementFileName does not check that the resolved element path is within the application/plugin view template paths...

6.3CVSS0.00258EPSS
Exploits0References1
CVE
CVE
added 2026/06/17 9:19 p.m.29 views

CVE-2026-48820

The CakePHP CVE-2026-48820 vulnerability affects View::_getElementFileName(), where the resolved element path is not validated to be within the application/plugin view template paths. This can allow crafted user-supplied data to include other PHP files on the server. Affected versions span 4.5.11...

6.3CVSS5.4AI score0.00258EPSS
Exploits0References1
Snyk
Snyk
added 2026/06/17 6:52 p.m.4 views

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect in the getLoginRedirect function. An attacker can redirect users to an attacker-controlled hostname by exploiting a backslash bypass in the redirect target. Remediation Upgrade cakephp/authentication to version 3.3.6, 4.1....

6.1CVSS5.8AI score0.00578EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/17 6:52 p.m.15 views

CakePHP Authentication: Open redirect weakness via backslash bypass

Impact The getLoginRedirect method contains a weakness to backslash bypasses allowing redirect targets with attacker controlled hostnames. Patches 3.3.6 and 4.1.1 contain a fix for this issue. Workarounds If you are unable to upgrade, you should consider adding application validation to the...

6.1CVSS5.3AI score0.00578EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.17 views

PT-2026-50550

Name of the Vulnerable Software and Affected Versions CakePHP versions prior to 4.5.11 CakePHP versions 4.6.0 through 4.6.3 CakePHP versions 5.0.0 through 5.1.6 CakePHP versions 5.2.0 through 5.2.12 CakePHP versions 5.3.0 through 5.3.5 Description The getElementFileName function in the View class...

6.3CVSS5.9AI score0.00258EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 7:51 p.m.12 views

EUVD-2026-36552

A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create followed by save...

8.4CVSS5.4AI score0.00226EPSS
Exploits0References1
CVE
CVE
added 2026/06/12 7:51 p.m.21 views

CVE-2026-54360

CVE-2026-54360 affects MISP: the mass assignment in the sharing group creation flow (SharingGroupsController::add) allows an authenticated user to submit an existing group’s id, causing a create() followed by save() to update that group. This could enable takeover or alteration of sharing groups ...

8.4CVSS5.4AI score0.00226EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/17 9:3 p.m.15 views

CVE-2026-23643

CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1...

5.4CVSS6.9AI score0.00252EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/01/17 12:0 a.m.5 views

Linux Distros Unpatched Vulnerability : CVE-2026-23643

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl method has a cross- site-scripting vulnerability via query string parameter...

5.4CVSS5.8AI score0.00252EPSS
Exploits0References2
Snyk
Snyk
added 2026/01/16 9:51 p.m.4 views

Cross-site Scripting (XSS)

Overview cakephp/cakephp is a rapid development framework for PHP which uses commonly known design patterns like Associative Data Mapping, Front Controller, and MVC. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the PaginatorHelper::limitControl function. An...

5.4CVSS5.7AI score0.00252EPSS
Exploits0References2
NVD
NVD
added 2026/01/16 9:15 p.m.14 views

CVE-2026-23643

CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1...

5.4CVSS0.00252EPSS
Exploits0References6
OSV
OSV
added 2026/01/16 9:15 p.m.5 views

DEBIAN-CVE-2026-23643

CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1...

5.4CVSS6.9AI score0.00252EPSS
Exploits0References1
UbuntuCve
UbuntuCve
added 2026/01/16 9:15 p.m.7 views

CVE-2026-23643

CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1...

5.4CVSS5.9AI score0.00252EPSS
Exploits0References7
Rows per page
Query Builder