CVE-2026-48820
MediumCVSS 6.3Exploitation Probability (EPSS)
Low risk17th percentile — higher than 17% of all known CVEs
Summary
In CakePHP, versions 4.5.11 and earlier, 4.6.0 through 4.6.3, 5.0.0 through 5.1.6, 5.2.0 through 5.2.12, and 5.3.0 through 5.3.5, the View::_getElementFileName() function does not check if the resolved element path is within the allowed application/plugin view template paths. This weakness can be exploited to include other PHP files on the server using specifically crafted user-supplied data.
Risk Assessment
This vulnerability may lead to unauthorized access to PHP files on the server, posing a serious threat to the security of the application and user data.
Recommendation
It is recommended to upgrade to versions 5.3.6, 5.2.13, 5.1.7, 4.6.4, or 4.5.11, which contain fixes that address this vulnerability.
Original NVD description (English source)
CakePHP is a rapid development framework for PHP. In versions 4.5.11 and earlier, 4.6.0 through 4.6.3, 5.0.0 through 5.1.6, 5.2.0 through 5.2.12, and 5.3.0 through 5.3.5, View::_getElementFileName() does not check that the resolved element path is within the application/plugin view template paths. When element names are created with specifically crafted user-supplied data this weakness can be leveraged to include other PHP files on the server. Patched releases are available in 5.3.6, 5.2.13, 5.1.7, 4.6.4, and 4.5.11.

