Let Them Eat XSS: Breaking CakePHP's PaginatorHelper
Jan 16, 2026·5 min read·10 visits
Executive Summary (TL;DR)
CakePHP's `PaginatorHelper` tries to be helpful by automatically generating hidden form fields to preserve your current search filters when you change the page limit. Unfortunately, it trusted the parameter *names* (keys) too much. By injecting a payload into the URL query key, an attacker can break out of the HTML attribute and execute JavaScript. Fixed in 5.2.12 and 5.3.1.
A deep dive into a Reflected Cross-Site Scripting vulnerability in CakePHP's PaginatorHelper. By injecting malicious JavaScript into query parameter keys, attackers can exploit a flaw in how the framework preserves state during pagination, leading to arbitrary code execution in the victim's browser.
Fix Analysis (2)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
CakePHP CakePHP | >= 5.2.10, < 5.2.12 | 5.2.12 |
CakePHP CakePHP | >= 5.3.0, < 5.3.1 | 5.3.1 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-79 |
| Attack Vector | Network (Reflected) |
| CVSS | 5.4 (Medium) |
| Bug Class | Input Validation Error |
| Component | PaginatorHelper |
| Exploit Status | PoC Available |
MITRE ATT&CK Mapping
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.