PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48820 cakephp CVE debrief

CVE-2026-48820 is a PHP file inclusion vulnerability in CakePHP View::_getElementFileName(). A patched release is available in 5.3.6, 5.2.13, 5.1.7, 4.6.4, or 4.5.11. This vulnerability allows attackers to include other PHP files on the server by crafting user-supplied data. Developers and administrators should apply patches or mitigations to prevent exploitation.

Vendor
cakephp
Product
Unknown
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-23
Advisory published
2026-06-17
Advisory updated
2026-06-23

Who should care

Developers and administrators using CakePHP versions 4.5.11 and earlier, 4.6.0 through 4.6.3, 5.0.0 through 5.1.6, 5.2.0 through 5.2.12, and 5.3.0 through 5.3.5 should apply patches or mitigations. Security teams and vulnerability management teams should also review and prioritize remediation efforts.

Technical summary

The View::_getElementFileName() method in CakePHP does not check if the resolved element path is within the application/plugin view template paths. This weakness can be exploited by crafting user-supplied data to include other PHP files on the server, potentially leading to code execution. Affected deployments should be identified and patched to versions 5.3.6, 5.2.13, 5.1.7, 4.6.4, or 4.5.11. Security teams should review and prioritize remediation efforts, focusing on restricting user input and monitoring for suspicious activity.

Defensive priority

Medium

Recommended defensive actions

  • Apply patches or updates to CakePHP versions 4.5.11 and earlier, 4.6.0 through 4.6.3, 5.0.0 through 5.1.6, 5.2.0 through 5.2.12, and 5.3.0 through 5.3.5
  • Restrict user input to prevent crafted data from being used to exploit the vulnerability
  • Monitor for suspicious activity and implement compensating controls as needed
  • Perform inventory checks to identify potentially affected systems
  • Implement exception tracking and retest procedures
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The CVE record was published on 2026-06-17T22:16:22.110Z and was last modified on 2026-06-23T15:44:39.343Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD data. Defenders should verify affected scope and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T22:16:22.110Z and has not been modified since then. The NVD entry is currently Deferred.