GHSA-wpvj-hjcr-h3p2Medium

CakePHP: View::element() is missing a path containment check

Published
June 26, 2026
Last Modified
June 26, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

View::_getElementFileName() does not check that the resolved element path is within the application/plugin view template paths. When element names are created with specifically crafted user-supplied data this weakness can be leveraged to include other PHP files on the server.

Patches

Patched releases are available in 5.3.6, 5.2.13, 5.1.7, 4.6.4, and 4.5.11.

Workarounds

If developers are not using user-supplied data in element names, no action is required.

🎯 Affected products5

  • composer/cakephp/cakephp:>= 5.3.0, < 5.3.6
  • composer/cakephp/cakephp:>= 5.2.0, < 5.2.13
  • composer/cakephp/cakephp:>= 5.0.0, < 5.1.7
  • composer/cakephp/cakephp:>= 4.6.0, < 4.6.4
  • composer/cakephp/cakephp:< 4.5.11

🔗 References (3)