Cakephp · Cakephp · CVE-2026-23643
**Name of the Vulnerable Software and Affected Versions**
CakePHP versions prior to 5.2.12
CakePHP versions prior to 5.3.1
**Description**
The `PaginatorHelper::limitControl()` method is susceptible to cross-site scripting through manipulation of query string parameters. If unable to upgrade, avoid using `Paginator::limitControl()`.
**Recommendations**
Upgrade to CakePHP version 5.2.12 or later.
Upgrade to CakePHP version 5.3.1 or later.