CVE-2026-48820

Summary

CakePHP is a rapid development framework for PHP. In versions 4.5.11 and earlier, 4.6.0 through 4.6.3, 5.0.0 through 5.1.6, 5.2.0 through 5.2.12, and 5.3.0 through 5.3.5, View::_getElementFileName() does not check that the resolved element path is within the application/plugin view template paths. When element names are created with specifically crafted user-supplied data this weakness can be leveraged to include other PHP files on the server. Patched releases are available in 5.3.6, 5.2.13, 5.1.7, 4.6.4, and 4.5.11.

Affected Software

VendorProductVersion RangeStatus
cakephpcakephp>= 5.3.0, < 5.3.6affected
cakephpcakephp>= 5.2.0, < 5.2.13affected
cakephpcakephp>= 5.0.0, < 5.1.7affected
cakephpcakephp>= 4.6.0, < 4.6.4affected
cakephpcakephp< 4.5.11affected

Weaknesses

  • CWE-98: CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
  • CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References