CVE-2026-48820

CakePHP: View::element() is missing a path containment check

Assigner: GitHub_M
Reserved: 22.05.2026 Published: 17.06.2026 Updated: 18.06.2026

CakePHP is a rapid development framework for PHP. In versions 4.5.11 and earlier, 4.6.0 through 4.6.3, 5.0.0 through 5.1.6, 5.2.0 through 5.2.12, and 5.3.0 through 5.3.5, View::_getElementFileName() does not check that the resolved element path is within the application/plugin view template paths. When element names are created with specifically crafted user-supplied data this weakness can be leveraged to include other PHP files on the server. Patched releases are available in 5.3.6, 5.2.13, 5.1.7, 4.6.4, and 4.5.11.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	High	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	cakephp
Product	cakephp
Versions	Version >= 5.3.0, < 5.3.6 is affected Version >= 5.2.0, < 5.2.13 is affected Version >= 5.0.0, < 5.1.7 is affected Version >= 4.6.0, < 4.6.4 is affected Version < 4.5.11 is affected

Vendor

cakephp

Product

cakephp

Versions

Version >= 5.3.0, < 5.3.6 is affected
Version >= 5.2.0, < 5.2.13 is affected
Version >= 5.0.0, < 5.1.7 is affected
Version >= 4.6.0, < 4.6.4 is affected
Version < 4.5.11 is affected

References

Problem Types

CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') CWE
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE

CVE-2026-48820 PUBLISHED

CakePHP: View::element() is missing a path containment check

Metrics

Product Status

References

Problem Types