PT-2026-46102 · Packagist · Backpack Crud
Published
2026-06-03
·
Updated
2026-06-03
CVSS v4.0
5.1
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
Impact
It’s a “moderate” vulnerability… but being an admin panel, we take this seriously. It’s difficult… but an attacker could conduct a targeted phishing campaign, in order to trick your users or admins to click a malicious link, which under very specific circumstances could give them information... or even admin access. It’s unlikely, but that’s not good enough in admin panels - we should make it impossible. That’s why we’re bothering you with this.
Patches
If you don’t have custom error views, the views provided by Backpack would output the exception message without escaping it, which made an attack possible using Reflected XSS, in some very specific circumstances (that we will not disclose). To fix those error views in Backpack 4.x and 5.x, please run:
composer update backpack/crud
php artisan backpack:fixThe problem has been patched in:
- v4.0.63
- v4.1.69
- v5.0.13
IMPORTANT! Running acomposer updateshould get you the patched version, but you also need to runphp artisan backpack:fixafterwards, to patch your published error views, if necessary.
Workarounds
Alternatively (if you don’t want to run
composer update), you can manually look inside your error views in “resources/views/errors” and output e($exception->getMessage()) instead of $exception->getMessage(). That’s all there is to the fix, really.What the maintainers have done about this
Acted as soon as our team found it (last week of March 2022):
- Pushed patches to 5.x, 4.1 and 4.0;
- Made it easy to apply the fix to existing projects, using a new
php artisan backpack:fixcommand; - Kept the specific circumstances a secret; as far as we know, only our team knows about the niche case where this exploit is possible;
- Emailed all our licensed users, to have a chance to fix their projects before it’s public;
- Sent an email blast to our 25.000+ strong Security Newsletter;
- Made this public with a blog post and soon a CVE, after our community has had a reasonable chance to fix their projects;
- Will continue to monitor this and remind paying users to apply this fix if they haven’t;
For more information
If you have any questions or comments about this advisory:
- Open an issue in backpack/crud
- Email us at hello@backpackforlaravel.com
PS. You can read this blog post for more information.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Backpack Crud