Merge pull request #864 from AikidoSec/kapyteinaikido-patch-1

Add cakephp/cakephp advisory for 5.2.8

Author: kapyteinaikido

vulnerabilities/AIKIDO-2025-10653.json

@@ -0,0 +1,26 @@
+{
+  "package_name": "cakephp/cakephp",
+  "patch_versions": [
+    "5.2.8"
+  ],
+  "vulnerable_ranges": [
+    [
+      "3.2.6",
+      "5.2.7"
+    ]
+  ],
+  "cwe": [
+    "CWE-863"
+  ],
+  "tldr": "Certain versions of CakePHP could incorrectly generate SQL when embedding a subquery that was already executed. This could cause access control conditions (WHERE clauses, bindings) to be lost or mishandled, leading to unauthorized data exposure or bypassing logic checks.",
+  "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.",
+  "how_to_fix": "Upgrade cake/cakephp to the patch version. A patch for 4.X is currently unavailable.",
+  "vulnerable_to": "Improper Authorization",
+  "related_cve_id": "",
+  "language": "PHP",
+  "severity_class": "MEDIUM",
+  "aikido_score": 50,
+  "changelog": "https://github.com/cakephp/cakephp/pull/18922",
+  "last_modified": "2025-10-01",
+  "published": "2025-10-01"
+}