CVE-2026-48820 | CakePHP up to 5.3.5 PHP File _getElementFileName filename control (GHSA-wpvj-hjcr-h3p2)

A vulnerability described as problematic has been identified in CakePHP up to 4.5.10/4.6.3/5.1.6/5.2.12/5.3.5. Affected is the function View::_getElementFileName of the component PHP File Handler. Executing a manipulation can lead to improper control of filename for include/require statement in php program (‘php remote file inclusion’).

This vulnerability appears as CVE-2026-48820. The attack may be performed from remote. There is no available exploit.

Upgrading the affected component is recommended.VulDB Recent EntriesRead More