CVE-2022-31114
Cross-Site Scripting in Backpack CRUD for Laravel
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| laravel_backpack | crud | to 5.0.12 (exc) |
| laravel_backpack | crud | to 4.1.69 (exc) |
| laravel_backpack | crud | to 4.0.63 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2022-31114 is a Cross-site Scripting (XSS) vulnerability in the Laravel-Backpack/CRUD package. It occurs because the package does not properly neutralize input when generating web pages, which can allow attackers to inject malicious scripts.
Under very specific circumstances, an attacker could exploit this vulnerability by tricking users or administrators into clicking a malicious link, potentially leading to information disclosure or unauthorized admin access.
The vulnerability affects versions prior to 5.0.13, 4.1.69, and 4.0.63 of the Backpack/CRUD package. It can be mitigated by updating to patched versions or manually escaping exception messages in error views.
How can this vulnerability impact me? :
This vulnerability can impact you by enabling attackers to conduct targeted phishing campaigns that trick users or administrators into clicking malicious links.
If exploited, it could lead to the disclosure of sensitive information or potentially grant attackers unauthorized administrative access to your system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Cross-site Scripting (XSS) issue in Laravel-Backpack/CRUD caused by improper neutralization of input in error views. Detection involves checking the version of the backpack/crud package installed and inspecting error views for unescaped exception messages.
- Check the installed version of backpack/crud with the command: composer show backpack/crud
- Look inside the error views directory for unescaped exception messages: grep -r '\$exception->getMessage()' resources/views/errors
- If unescaped exception messages are found (i.e., without the escaping function e()), the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, update the backpack/crud package to a patched version and fix the error views.
- Run the command: composer update backpack/crud to update to a fixed version (5.0.13, 4.1.69, or 4.0.63 or later).
- Run the command: php artisan backpack:fix to patch published error views automatically.
- Alternatively, manually edit error views in resources/views/errors to replace $exception->getMessage() with e($exception->getMessage()) to escape output.