MEDIUM

GHSA-wpvj-hjcr-h3p2

CakePHP: View::element() is missing a path containment check

Details

### Impact `View::_getElementFileName()` does not check that the resolved element path is within the application/plugin view template paths. When element names are created with specifically crafted user-supplied data this weakness can be leveraged to include other PHP files on the server.

### Patches Patched releases are available in 5.3.6, 5.2.13, 5.1.7, 4.6.4, and 4.5.11.

### Workarounds If developers are not using user-supplied data in element names, no action is required.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / cakephp/cakephp

Introduced in: 5.3.0 Fixed in: 5.3.6

Fix composer require cakephp/cakephp:^5.3.6

Packagist / cakephp/cakephp

Introduced in: 5.2.0 Fixed in: 5.2.13

Fix composer require cakephp/cakephp:^5.2.13

Packagist / cakephp/cakephp

Introduced in: 5.0.0 Fixed in: 5.1.7

Fix composer require cakephp/cakephp:^5.1.7

Packagist / cakephp/cakephp

Introduced in: 4.6.0 Fixed in: 4.6.4

Fix composer require cakephp/cakephp:^4.6.4

Packagist / cakephp/cakephp

Introduced in: 0 Fixed in: 4.5.11

Fix composer require cakephp/cakephp:^4.5.11

References

https://github.com/cakephp/cakephp/security/advisories/GHSA-wpvj-hjcr-h3p2 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-48820 [ADVISORY]
https://github.com/cakephp/cakephp [PACKAGE]