CVE-2026-23643 — CakePHP PaginatorHelper::limitControl() vulnerable to reflected cross-site-scrip

Description

### Impact The `PaginatorHelper::limitControl()` method has a cross-site-scripting vulnerability via query string parameter manipulation. ### Patches This issue has been fixed in 5.2.12 and 5.3.1 ### Workarounds If you are unable to upgrade, you should avoid using `Paginator::limitControl()` until you can upgrade.

How to fix CVE-2026-23643

To remediate CVE-2026-23643, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 5.2.12 or later

Is CVE-2026-23643 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
>= 5.2.10, < 5.2.12

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-23643
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-23643
PATCHgithub.com/cakephp/cakephp
WEBbakery.cakephp.org/2026/01/14/cakephp_5212.html
WEB