CVE-2022-31114
Deferred Deferred - Pending Action

Cross-Site Scripting in Backpack CRUD for Laravel

Vulnerability report for CVE-2022-31114, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description

backpack/crud provides Create, Read, Update & Delete (CRUD) functions for Backpack, a collection of Laravel packages that help users build custom administration panels. Versions prior to 5.0.13, 4.1.69, and 4.0.63 are vulnerable to cross-site scripting. An attacker could conduct a targeted phishing campaign, in order to trick users or admins into clicking a malicious link, which under very specific circumstances could give them information or possibly admin access. Versions 5.0.13, 4.1.69, and 4.0.63 patch the issue. As a workaround, manually look inside error views in `resources/views/errors` and output `e($exception->getMessage())` instead of `$exception->getMessage()`.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-07-14
AI Q&A
2026-06-03
EPSS Evaluated
2026-07-12
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
laravel_backpack crud to 5.0.12 (exc)
laravel_backpack crud to 4.1.69 (exc)
laravel_backpack crud to 4.0.63 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2022-31114 is a Cross-site Scripting (XSS) vulnerability in the Laravel-Backpack/CRUD package. It occurs because the package does not properly neutralize input when generating web pages, which can allow attackers to inject malicious scripts.

Under very specific circumstances, an attacker could exploit this vulnerability by tricking users or administrators into clicking a malicious link, potentially leading to information disclosure or unauthorized admin access.

The vulnerability affects versions prior to 5.0.13, 4.1.69, and 4.0.63 of the Backpack/CRUD package. It can be mitigated by updating to patched versions or manually escaping exception messages in error views.

Impact Analysis

This vulnerability can impact you by enabling attackers to conduct targeted phishing campaigns that trick users or administrators into clicking malicious links.

If exploited, it could lead to the disclosure of sensitive information or potentially grant attackers unauthorized administrative access to your system.

Detection Guidance

This vulnerability is a Cross-site Scripting (XSS) issue in Laravel-Backpack/CRUD caused by improper neutralization of input in error views. Detection involves checking the version of the backpack/crud package installed and inspecting error views for unescaped exception messages.

  • Check the installed version of backpack/crud with the command: composer show backpack/crud
  • Look inside the error views directory for unescaped exception messages: grep -r '\$exception->getMessage()' resources/views/errors
  • If unescaped exception messages are found (i.e., without the escaping function e()), the system is vulnerable.
Mitigation Strategies

To mitigate this vulnerability immediately, update the backpack/crud package to a patched version and fix the error views.

  • Run the command: composer update backpack/crud to update to a fixed version (5.0.13, 4.1.69, or 4.0.63 or later).
  • Run the command: php artisan backpack:fix to patch published error views automatically.
  • Alternatively, manually edit error views in resources/views/errors to replace $exception->getMessage() with e($exception->getMessage()) to escape output.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-31114. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart