The CakePHP core team is happy to announce the immediate availability of CakePHP 4.2.11. This release contain a security fix for the
limit()
and offset()
methods of Cake\Database\Query
. If passed unfiltered request data, these methods would allow for SQL injection. If your application does not use CakePHP's Pagination wrappers and directly passes request data into one of these methods your application is vulnerable. We'd like to thank 'Tanaka' for reporting this issue.