Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/cakephp/cakephp@2.7.1
purl pkg:composer/cakephp/cakephp@2.7.1
Next non-vulnerable version 3.10.3
Latest non-vulnerable version 5.3.1
Risk 10.0
Vulnerabilities affecting this package (10)
Vulnerability Summary Fixed by
VCID-4hm5-ts9r-7qhj
Aliases:
GHSA-6hg4-vp5q-47mw
GMS-2023-67
CakePHP allows direct access of prefixed controller actions Unconventional URL paths would allow direct access to prefixed actions without setting the correct request parameters.
2.7.2
Affected by 6 other vulnerabilities.
VCID-e42e-y1zv-4yem
Aliases:
CVE-2016-4793
GHSA-j8p3-8m69-2hqq
Improper Input Validation The `clientIp` function in CakePHP allows remote attackers to spoof their IP via the `CLIENT-IP` HTTP header.
2.7.11
Affected by 3 other vulnerabilities.
2.8.2
Affected by 3 other vulnerabilities.
3.0.17
Affected by 4 other vulnerabilities.
3.1.12
Affected by 3 other vulnerabilities.
3.2.5
Affected by 2 other vulnerabilities.
VCID-efhb-ed55-3fdy
Aliases:
CVE-2020-15400
GHSA-j33j-fg2g-mcv2
3.10.3
Affected by 0 other vulnerabilities.
4.0.6
Affected by 1 other vulnerability.
VCID-k87k-gfb3-vbab
Aliases:
GMS-2015-41
Unsafe view template filenames result in a Remote File Inclusion vulnerability.
2.7.6
Affected by 3 other vulnerabilities.
3.0.0-RC1
Affected by 3 other vulnerabilities.
3.0.15
Affected by 4 other vulnerabilities.
3.1.0-RC1
Affected by 4 other vulnerabilities.
3.1.4
Affected by 4 other vulnerabilities.
VCID-kxax-aem6-7fdu
Aliases:
GMS-2015-18
Unreliable data validation There's a flow in Validation::compare() and Validation::range() that makes possible to pass validation criteria using crafted data.
2.7.2
Affected by 6 other vulnerabilities.
3.0.0-RC1
Affected by 3 other vulnerabilities.
VCID-s8hu-14t1-f7bn
Aliases:
GMS-2015-63
Direct access of prefixed controller actions Unconventional URL paths would allow direct access to prefixed actions without setting the correct request parameters. If your authorization depends on the presence of the prefix routing key you should upgrade as soon as possible.
2.7.2
Affected by 6 other vulnerabilities.
3.0.0-RC1
Affected by 3 other vulnerabilities.
VCID-tvvp-39ps-sqab
Aliases:
GHSA-p76f-wr22-4rv6
GMS-2023-70
CakePHP vulnerable to Remote File Inclusion through View template name manipulation CakePHP 2.x prior to 2.0.99, 2.1.99, 2.2.99, 2.3.99, 2.4.99, 2.5.99, 2.6.12, and 2.7.6 and 3.x prior to 3.0.15 and 3.1.4 is vulnerable to Remote File Inclusion through View template name manipulation.
2.7.6
Affected by 3 other vulnerabilities.
3.0.15
Affected by 4 other vulnerabilities.
3.1.4
Affected by 4 other vulnerabilities.
VCID-tyh8-9qqj-tfdt
Aliases:
GMS-2015-64
PHP Remote File Inclusion Remote File Inclusion through View template name manipulation.
2.7.6
Affected by 3 other vulnerabilities.
3.0.0-RC1
Affected by 3 other vulnerabilities.
3.0.15
Affected by 4 other vulnerabilities.
3.1.0-RC1
Affected by 4 other vulnerabilities.
3.1.4
Affected by 4 other vulnerabilities.
VCID-vqhd-sy34-e3bw
Aliases:
GMS-2015-17
Potential direct access to prefixed actions Unconventional URL paths would allow direct access to prefixed actions without setting the correct request parameters. If your authorization depends on the presence of the prefix routing key you should upgrade as soon as possible.
2.7.2
Affected by 6 other vulnerabilities.
3.0.0-RC1
Affected by 3 other vulnerabilities.
VCID-yq27-7v6m-5bc5
Aliases:
CVE-2015-8379
GHSA-556q-h4vr-pgh2
Cross-Site Request Forgery (CSRF) CakePHP 2.x and 3.x before 3.1.5 might allow remote attackers to bypass the CSRF protection mechanism via the _method parameter.
3.1.5
Affected by 3 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-01T07:15:58.432773+00:00 GitLab Importer Affected by VCID-tvvp-39ps-sqab https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cakephp/cakephp/GMS-2023-70.yml 38.6.0
2026-06-01T07:15:58.002662+00:00 GitLab Importer Affected by VCID-4hm5-ts9r-7qhj https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cakephp/cakephp/GMS-2023-67.yml 38.6.0
2026-06-01T06:43:10.298712+00:00 GitLab Importer Affected by VCID-yq27-7v6m-5bc5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cakephp/cakephp/CVE-2015-8379.yml 38.6.0
2026-06-01T05:49:12.870406+00:00 GitLab Importer Affected by VCID-efhb-ed55-3fdy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cakephp/cakephp/CVE-2020-15400.yml 38.6.0
2026-05-31T09:37:45.386362+00:00 GitLab Importer Affected by VCID-e42e-y1zv-4yem https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cakephp/cakephp/CVE-2016-4793.yml 38.6.0
2026-05-31T09:34:35.747079+00:00 GitLab Importer Affected by VCID-k87k-gfb3-vbab https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cakephp/cakephp/GMS-2015-41.yml 38.6.0
2026-05-31T09:34:35.480480+00:00 GitLab Importer Affected by VCID-tyh8-9qqj-tfdt https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cakephp/cakephp/GMS-2015-64.yml 38.6.0
2026-05-31T09:34:18.232297+00:00 GitLab Importer Affected by VCID-s8hu-14t1-f7bn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cakephp/cakephp/GMS-2015-63.yml 38.6.0
2026-05-31T09:34:17.952323+00:00 GitLab Importer Affected by VCID-vqhd-sy34-e3bw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cakephp/cakephp/GMS-2015-17.yml 38.6.0
2026-05-31T09:34:17.668992+00:00 GitLab Importer Affected by VCID-kxax-aem6-7fdu https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cakephp/cakephp/GMS-2015-18.yml 38.6.0