Vulnerability-Lookup

GHSA-M8XX-3X29-84H8

Vulnerability from github – Published: 2026-06-03 20:25 – Updated: 2026-06-03 20:29

Summary

backpack/crud is vulnerable to Cross-Site Scripting (XSS)

Details

Impact

It’s a “moderate” vulnerability… but being an admin panel, we take this seriously. It’s difficult… but an attacker could conduct a targeted phishing campaign, in order to trick your users or admins to click a malicious link, which under very specific circumstances could give them information... or even admin access. It’s unlikely, but that’s not good enough in admin panels - we should make it impossible. That’s why we’re bothering you with this.

Patches

If you don’t have custom error views, the views provided by Backpack would output the exception message without escaping it, which made an attack possible using Reflected XSS, in some very specific circumstances (that we will not disclose). To fix those error views in Backpack 4.x and 5.x, please run:

composer update backpack/crud
php artisan backpack:fix

The problem has been patched in: - v4.0.63 - v4.1.69 - v5.0.13

IMPORTANT! Running a composer update should get you the patched version, but you also need to run php artisan backpack:fix afterwards, to patch your published error views, if necessary.

Workarounds

Alternatively (if you don’t want to run composer update), you can manually look inside your error views in “resources/views/errors” and output e($exception->getMessage()) instead of $exception->getMessage(). That’s all there is to the fix, really.

What the maintainers have done about this

Acted as soon as our team found it (last week of March 2022): - Pushed patches to 5.x, 4.1 and 4.0; - Made it easy to apply the fix to existing projects, using a new php artisan backpack:fix command; - Kept the specific circumstances a secret; as far as we know, only our team knows about the niche case where this exploit is possible; - Emailed all our licensed users, to have a chance to fix their projects before it’s public; - Sent an email blast to our 25.000+ strong Security Newsletter; - Made this public with a blog post and soon a CVE, after our community has had a reasonable chance to fix their projects; - Will continue to monitor this and remind paying users to apply this fix if they haven’t;

For more information

If you have any questions or comments about this advisory: * Open an issue in backpack/crud * Email us at hello@backpackforlaravel.com

PS. You can read this blog post for more information.

Severity

5.1 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "backpack/crud"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "backpack/crud"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0"
            },
            {
              "fixed": "4.1.69"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "backpack/crud"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.63"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31114"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-03T20:25:50Z",
    "nvd_published_at": "2026-06-03T16:16:18Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nIt\u2019s a \u201c*moderate*\u201d vulnerability\u2026 but being an admin panel, we take this seriously. It\u2019s difficult\u2026 but an attacker could conduct a targeted phishing campaign, in order to **trick your users or admins to click a malicious link, which under very specific circumstances could give them information... or even admin access**. It\u2019s *unlikely*, but that\u2019s not good enough in admin panels - we should make it *impossible*. That\u2019s why we\u2019re bothering you with this. \n\n### Patches\n\n\nIf you don\u2019t have custom error views, the views provided by Backpack would output the exception message *without escaping it*, which made an attack possible using Reflected XSS, in some very specific circumstances (that we will not disclose). **To fix those error views in Backpack 4.x and 5.x, please run**:\n\n```bash\ncomposer update backpack/crud\nphp artisan backpack:fix\n```\n\nThe problem has been patched in:\n- v4.0.63\n- v4.1.69\n- v5.0.13\n\n\u003e **IMPORTANT! Running a `composer update` should get you the patched version, but you also need to run `php artisan backpack:fix` afterwards, to patch your published error views, if necessary.**\n\n### Workarounds\n\nAlternatively (if you don\u2019t want to run `composer update`), you can manually look inside your error views in \u201c*resources/views/errors*\u201d and output `e($exception-\u003egetMessage())` instead of `$exception-\u003egetMessage()`. That\u2019s all there is to the fix, really.\n\n### What the maintainers have done about this\n\nActed as soon as our team found it (last week of March 2022):\n- Pushed patches to 5.x, 4.1 and 4.0;\n- Made it easy to apply the fix to existing projects, using a new `php artisan backpack:fix` command;\n- Kept the specific circumstances a secret; as far as we know, only our team knows about the niche case where this exploit is possible;\n- Emailed all our licensed users, to have a chance to fix their projects before it\u2019s public;\n- Sent an email blast to our 25.000+ strong Security Newsletter;\n- Made this public with a blog post and soon a CVE, after our community has had a reasonable chance to fix their projects;\n- Will continue to monitor this and remind paying users to apply this fix if they haven\u2019t;\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [backpack/crud](https://github.com/laravel-backpack/crud)\n* Email us at [hello@backpackforlaravel.com](mailto:hello@backpackforlaravel.com)\n\n---\n\nPS. You can [read this blog post](https://backpackforlaravel.com/articles/news/we-recommend-you-fix-this-vulnerability) for more information.",
  "id": "GHSA-m8xx-3x29-84h8",
  "modified": "2026-06-03T20:29:20Z",
  "published": "2026-06-03T20:25:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Laravel-Backpack/CRUD/security/advisories/GHSA-m8xx-3x29-84h8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31114"
    },
    {
      "type": "WEB",
      "url": "https://backpackforlaravel.com/articles/news/we-recommend-you-fix-this-vulnerability"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Laravel-Backpack/CRUD"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "backpack/crud is vulnerable to Cross-Site Scripting (XSS)"
}

CVE-2022-31114 (GCVE-0-2022-31114)

Vulnerability from cvelistv5 – Published: 2026-06-03 14:41 – Updated: 2026-06-03 16:01

Title

backpack/crud Vulnerable to Cross-site Scripting

Summary

backpack/crud provides Create, Read, Update & Delete (CRUD) functions for Backpack, a collection of Laravel packages that help users build custom administration panels. Versions prior to 5.0.13, 4.1.69, and 4.0.63 are vulnerable to cross-site scripting. An attacker could conduct a targeted phishing campaign, in order to trick users or admins into clicking a malicious link, which under very specific circumstances could give them information or possibly admin access. Versions 5.0.13, 4.1.69, and 4.0.63 patch the issue. As a workaround, manually look inside error views in `resources/views/errors` and output `e($exception->getMessage())` instead of `$exception->getMessage()`.

Severity

5.1 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/Laravel-Backpack/CRUD/security…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
Laravel-Backpack	CRUD	Affected: >= 5.0.0, < 5.0.13 Affected: >= 4.0.0, < 4.1.69 Affected: < 4.0.63

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-31114",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T16:01:14.919643Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T16:01:22.313Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "CRUD",
          "vendor": "Laravel-Backpack",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 5.0.13"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.1.69"
            },
            {
              "status": "affected",
              "version": "\u003c 4.0.63"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "backpack/crud provides Create, Read, Update \u0026 Delete (CRUD) functions for Backpack, a collection of Laravel packages that help users build custom administration panels. Versions prior to 5.0.13, 4.1.69, and 4.0.63 are vulnerable to cross-site scripting. An attacker could conduct a targeted phishing campaign, in order to trick users or admins into clicking a malicious link, which under very specific circumstances could give them information or possibly admin access. Versions 5.0.13, 4.1.69, and 4.0.63 patch the issue. As a workaround, manually look inside error views in `resources/views/errors` and output `e($exception-\u003egetMessage())` instead of `$exception-\u003egetMessage()`."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-03T14:41:41.395Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Laravel-Backpack/CRUD/security/advisories/GHSA-m8xx-3x29-84h8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Laravel-Backpack/CRUD/security/advisories/GHSA-m8xx-3x29-84h8"
        }
      ],
      "source": {
        "advisory": "GHSA-m8xx-3x29-84h8",
        "discovery": "UNKNOWN"
      },
      "title": "backpack/crud Vulnerable to Cross-site Scripting"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-31114",
    "datePublished": "2026-06-03T14:41:41.395Z",
    "dateReserved": "2022-05-18T18:37:25.429Z",
    "dateUpdated": "2026-06-03T16:01:22.313Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted