CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2022-31114

CVE-2022-31114: Reflected Cross-Site Scripting in Laravel Backpack Error Views

Alon Barad
Alon Barad
Software Engineer

Jun 3, 2026·6 min read·10 visits

Executive Summary (TL;DR)

Unescaped exception messages in Laravel Backpack's default error views allow attackers to execute arbitrary JavaScript in the context of an authenticated administrator via crafted links.

CVE-2022-31114 is a Reflected Cross-Site Scripting (XSS) vulnerability affecting the popular administrative panel package 'backpack/crud'. The flaw is rooted in the unsafe, raw rendering of PHP exception messages within the default error templates. When an unescaped exception message reflects malicious user-provided input, arbitrary JavaScript can execute within an administrator's browser session.

Vulnerability Overview

The PHP package backpack/crud is a popular administration panel framework for Laravel, designed to accelerate backend development. Because it manages administrative access, it occupies a highly privileged position within the web application architecture. This makes its user interfaces and error handling routines high-value targets for malicious actors seeking administrative access.

This vulnerability, CVE-2022-31114, is classified as an instance of Reflected Cross-Site Scripting (CWE-79). The flaw is located in the custom error-rendering templates bundled with the package. If an attacker can craft a request that triggers an application exception containing malicious input, the application will render that input back to the user without prior sanitization.

In administrative panels, Reflected Cross-Site Scripting carries severe implications. Although categorized as medium severity due to the requirement of user interaction, successful exploitation can result in full session hijacking. If the victim has administrative privileges, the execution of arbitrary JavaScript can lead to unauthorized backend configurations or administrative credential theft.

Root Cause Analysis

In standard Laravel development, the Blade template engine provides two main types of echo statements. The default syntax {{ $variable }} automatically passes the variable through PHP's htmlspecialchars function to prevent XSS. Conversely, the unescaped syntax {!! $variable !!} renders the variable directly without any sanitation, which is intended for trusted HTML content.

In vulnerable versions of backpack/crud, the templates responsible for displaying error codes and exception messages utilized the unescaped syntax. Specifically, the exception message was outputted using {!! $exception->getMessage() !!}. This design choice meant that any HTML or JavaScript contained within the exception message was executed directly by the rendering web browser.

Exception messages often incorporate raw, unvalidated input. For example, database query exceptions generated during an invalid search filter may include the search parameter directly in the SQL error output. Similarly, validation and routing systems often echo back requested identifiers in their error messages. This direct echo behavior provides the necessary reflection point to execute the XSS payload.

Code Analysis & Patch Review

The vulnerable code path revolves around how the error layout displays the message variable. The template previously loaded the exception's message using raw execution delimiters, exposing the application to injection attacks.

<!-- Vulnerable Implementation (layout.blade.php) -->
<div class="row m-t-40">
    <div class="col-md-12 text-center">
        <div class="error_number">
            @yield('title')
        </div>
        <div class="error_message">
            {!! $exception->getMessage() !!} 
        </div>
    </div>
</div>

The patch resolved this by applying the e() helper function, which acts as a wrapper for htmlspecialchars. This neutralizes any HTML tags or script directives injected into the exception message before rendering.

<!-- Patched Implementation (layout.blade.php) -->
<div class="row m-t-40">
    <div class="col-md-12 text-center">
        <div class="error_number">
            @yield('title')
        </div>
        <div class="error_message">
            {!! e($exception->getMessage()) !!}
        </div>
    </div>
</div>

While the patch successfully closes the vulnerability within the vendor's source files, Laravel applications often publish views locally using php artisan vendor:publish. This results in copies of the vulnerable template remaining in resources/views/errors/ even after the composer dependency is updated. To address this, the vendor introduced the php artisan backpack:fix command to programmatically locate and rewrite these locally published templates.

Attack Methodology & Exploitation Scenarios

To exploit this vulnerability, an attacker must identify an endpoint controlled by Backpack that triggers an exception containing user-supplied input. A typical vector involves input fields that feed directly into database queries or model resolvers, where validation is absent or handled post-execution. If the input triggers a database unique-constraint or a data-type mismatch, the database exception will propagate to the error view.

Once an administrative endpoint with reflective exception output is identified, the attacker crafts a specialized payload. This payload is embedded in a URL and delivered to an authenticated administrator via spear-phishing or cross-site requests. Since administrative interfaces often run on restricted subdomains, targeting a specific user session is a key prerequisite.

Upon clicking the link, the administrator's browser sends the request to the backend. The backend throws an exception, and the custom Backpack error handler returns the rendering containing the unescaped script block. The script executes within the context of the administrator's active session, allowing the script to make API requests with administrative authority.

Impact Assessment & Threat Surface

The primary risk of Reflected XSS within an administrative interface is the compromise of elevated user sessions. Because the script executes within the context of an authenticated session, the attacker inherits the full permissions of the administrative user. This bypasses authentication mechanisms, including multi-factor authentication (MFA), which has already been satisfied by the victim.

Using the active session, the malicious script can perform asynchronous HTTP requests (AJAX) to the backend API. An attacker can silently trigger state-changing actions such as creating a new administrative account, modifying system configuration parameters, or exfiltrating sensitive client databases. This turns a client-side scripting bug into an entry point for absolute system takeover.

Additionally, if administrative session cookies lack the HttpOnly attribute, the script can read the session identifier and transmit it directly to an attacker-controlled listener. Even with HttpOnly flags set, the DOM remains fully controllable. The attacker can execute arbitrary administrative tasks or display convincing overlay pages to capture secondary credentials.

Mitigation, Remediation, & Defenses

The primary remediation is updating the backpack/crud composer package to a secured version. Organizations running older versions should identify their active branch and apply the corresponding patch. The secure versions are 5.0.13 for the 5.x branch, 4.1.69 for the 4.1.x branch, and 4.0.63 for the 4.0.x branch.

After updating the composer dependencies, administrators must execute the command php artisan backpack:fix. This step is crucial because it ensures that any local error templates published to resources/views/errors/ are scanned and updated. If this command is skipped, the application may remain vulnerable despite updating the vendor directory.

For defense-in-depth, security teams should implement a strict Content Security Policy (CSP). Restricting inline scripts via policies like script-src 'self' 'nonce-random' or blocking unsafe-inline execution prevents the browser from executing reflected payloads. Additionally, ensuring all cookies use the HttpOnly and SameSite=Strict attributes minimizes the risk of session theft.

Official Patches

Laravel BackpackGitHub Security Advisory and Patch Notes

Technical Appendix

CVSS Score
5.1/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected Systems

Laravel applications running backpack/crud package versions below 5.0.13, 4.1.69, or 4.0.63

Affected Versions Detail

Product
Affected Versions
Fixed Version
backpack/crud
Laravel Backpack
>= 5.0.0, < 5.0.135.0.13
backpack/crud
Laravel Backpack
>= 4.1.0, < 4.1.694.1.69
backpack/crud
Laravel Backpack
< 4.0.634.0.63
AttributeDetail
CWE IDCWE-79
Vulnerability ClassReflected Cross-Site Scripting (XSS)
CVSS v4.0 Score5.1
Attack VectorNetwork (AV:N)
Exploit StatusNone / Unproven
CISA KEV StatusNot Listed

MITRE ATT&CK Mapping

T1189Drive-by Compromise
Initial Access
T1185Browser Session Hijacking
Collection
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Vulnerability Timeline

Vulnerability discovered internally by Backpack team during routine private security audit
2022-03-24
Patches developed and verified across supported branches (5.x, 4.1, 4.0)
2022-03-25
Proactive email notifications and instructions sent to paying customers and subscribers
2022-04-10
Public disclosure made via vendor advisory and GitHub Security Advisory database
2022-06-30
Official CVE-2022-31114 record populated in the global CVE registry
2026-06-03

References & Sources

  • [1]GitHub Security Advisory GHSA-m8xx-3x29-84h8
  • [2]Official Vendor Remediation Blog Post
  • [3]NVD Detail Page
  • [4]CVE.org Authority Record
  • [5]Shodan CVEDB Entry
  • [6]Laravel Backpack GitHub Repository

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 3 hours ago•GHSA-8RQH-VXPR-X77P
4.3

GHSA-8RQH-VXPR-X77P: Stored Cross-Site Scripting via MIME Type Spoofing in Plone REST API

A stored Cross-Site Scripting (XSS) vulnerability exists within plone.restapi, the REST API package for Plone content management system. By supplying a spoofed input MIME type (text/x-html-safe), an attacker can mislead the rendering layer (plone.app.textfield) into assuming that the supplied content is already sanitized. This causes the system to skip the safe_html transform, allowing arbitrary JavaScript to execute in the victim's browser when they view the compromised page.

Amit Schendel
Amit Schendel
3 views•7 min read
•about 4 hours ago•CVE-2026-11400
8.0

CVE-2026-11400: Privilege Escalation via Untrusted Search Path in AWS Advanced JDBC Wrapper

An untrusted search path vulnerability in the GlobalDatabasePlugin component of the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL allows authenticated, low-privilege database users to hijack administrative session queries. By defining a custom function in a writable schema such as the public schema, an attacker can hijack queries executed automatically during driver-level topology detection. When a highly privileged database user connects to the database utilizing an affected version of the wrapper, the custom function executes under their security context, enabling remote privilege escalation to rds_superuser.

Alon Barad
Alon Barad
3 views•6 min read
•about 5 hours ago•CVE-2026-27771
8.2

CVE-2026-27771: Authentication Bypass and Information Disclosure in Gitea Container and Composer Registries

CVE-2026-27771 represents a critical security flaw in Gitea and Forgejo (up to and including version 1.26.1) involving missing authorization checks (CWE-862). Unauthenticated remote attackers can query, enumerate, and download private container images from the OCI-compliant container registry. Additionally, unauthorized users can retrieve private or internal source repository URLs via the Composer package registry metadata API. A public proof-of-concept exists, and threat metrics indicate highly active scanning and exploitation risks.

Alon Barad
Alon Barad
5 views•7 min read
•about 6 hours ago•GHSA-CVPC-HCCG-WMW4
8.8

GHSA-CVPC-HCCG-WMW4: Missing Authorization in Formie Administrative Settings Allows Privilege Escalation

A missing authorization vulnerability in the Formie plugin for Craft CMS prior to version 3.1.28 allows low-privileged Control Panel users to read and modify sensitive administrative settings, configuration options, and third-party integrations.

Amit Schendel
Amit Schendel
3 views•6 min read
•about 7 hours ago•CVE-2026-53598
7.5

CVE-2026-53598: Arbitrary File Read via File Reference Expansion in Microsoft Prompty

CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.

Amit Schendel
Amit Schendel
7 views•6 min read
•about 8 hours ago•GHSA-MFR4-MQ8W-VMG6
7.3

GHSA-MFR4-MQ8W-VMG6: Path Traversal in proot-distro copy Command Allows Container Escape

A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.

Alon Barad
Alon Barad
7 views•7 min read