Skip to content

Update dependency cakephp/cakephp to v5.3.6 [SECURITY] (cakephp-5.x) - autoclosed#28

Closed
renovate[bot] wants to merge 1 commit into
cakephp-5.xfrom
renovate/cakephp-5.x-packagist-cakephp-cakephp-vulnerability
Closed

Update dependency cakephp/cakephp to v5.3.6 [SECURITY] (cakephp-5.x) - autoclosed#28
renovate[bot] wants to merge 1 commit into
cakephp-5.xfrom
renovate/cakephp-5.x-packagist-cakephp-cakephp-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jun 29, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
cakephp/cakephp (source) 5.3.35.3.6 age confidence

CakePHP: View::element() is missing a path containment check

CVE-2026-48820 / GHSA-wpvj-hjcr-h3p2

More information

Details

Impact

View::_getElementFileName() does not check that the resolved element path is within the application/plugin view template paths. When element names are created with specifically crafted user-supplied data this weakness can be leveraged to include other PHP files on the server.

Patches

Patched releases are available in 5.3.6, 5.2.13, 5.1.7, 4.6.4, and 4.5.11.

Workarounds

If developers are not using user-supplied data in element names, no action is required.

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

cakephp/cakephp (cakephp/cakephp)

v5.3.6: CakePHP 5.3.6 released

Compare Source

The CakePHP core team is happy to announce the immediate availability of CakePHP 5.3.5. This is a maintenance release for the 5.3 branch that fixes community reported issues and a low severity security issue in View::element(). Thank you to Nguyen Danh Quan (@​z3moo) and Ta Quoc Hung (@​get-wright) for reporting this issue through our security process. The security fix has been backported and released as 5.2.13, 5.1.7, 4.6.4, and 4.5.11 as well.

Bugfixes

You can expect the following changes in 5.3.6. See the changelog for every commit.

  • DateTimeType now marshals date only formats like Y-m-d to midnight.
  • ConsoleOutput::_write() now guards against unset streams.
  • Improved API documentation.
  • Improved generic typehints for find(), findCreate() and loadInto().
  • Fixed missing path normalization and directory separator handling in CommandScanner::scanPlugin().
  • Improved error messages when validation rules are duplicated.
  • Fixed element path name handling with relative directory traversals.

Contributors to 5.3.6

Thank you to all the contributors that submitted a pull request:

  • ADmad
  • Mark Scherer
  • Mark Story
  • Stuart

As always, we would like to also thank all the contributors that opened issues, or updated the documentation.

v5.3.5: CakePHP 5.3.5 released

Compare Source

The CakePHP core team is happy to announce the immediate availability of CakePHP 5.3.5. This is a maintenance release for the 5.3 branch that fixes several community reported issues.

Bugfixes

You can expect the following changes in 5.3.5. See the changelog for every commit.

  • Fixed a regression where the SameSite cookie attributes would only be applied to the php preset.
  • ConsoleOutput::write() now guards against closed file handles.
  • Console runner now shows help text instead of an error on invalid command names.

Contributors to 5.3.5

Thank you to all the contributors that submitted a pull request:

  • ADmad
  • Juan Pablo Ramirez
  • Kevin Pfeifer
  • Mark Scherer
  • Mark Story

As always, we would like to also thank all the contributors that opened issues, or updated the documentation.

v5.3.4: CakePHP 5.3.4 released

Compare Source

The CakePHP core team is happy to announce the immediate availability of CakePHP 5.3.4. This is a maintenance release for the 5.3 branch that fixes several community reported issues.

Bugfixes

You can expect the following changes in 5.3.4. See the changelog for every commit.

  • Added database connection context to errors logged for QueryException.
  • Improved phpstan type inference, and table entity generics.
  • Fixed pagination sort condition merging with alias prefixed fields. Fields are now normalized before resolving sort direction.

Contributors to 5.3.4

Thank you to all the contributors that submitted a pull request:

  • ADmad
  • Application-drop-up
  • Kevin Pfeifer
  • Mark Scherer
  • Mark Story
  • Masatoshi Ogiwara

As always, we would like to also thank all the contributors that opened issues, or updated the documentation.


Configuration

📅 Schedule: (in timezone Europe/Zurich)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the security label Jun 29, 2026
@renovate renovate Bot changed the title Update dependency cakephp/cakephp to v5.3.6 [SECURITY] (cakephp-5.x) Update dependency cakephp/cakephp to v5.3.6 [SECURITY] (cakephp-5.x) - autoclosed Jun 29, 2026
@renovate renovate Bot closed this Jun 29, 2026
@renovate renovate Bot deleted the renovate/cakephp-5.x-packagist-cakephp-cakephp-vulnerability branch June 29, 2026 06:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants