CVE-2022-31114
Deferred Deferred - Pending Action
Cross-Site Scripting in Backpack CRUD for Laravel

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description
backpack/crud provides Create, Read, Update & Delete (CRUD) functions for Backpack, a collection of Laravel packages that help users build custom administration panels. Versions prior to 5.0.13, 4.1.69, and 4.0.63 are vulnerable to cross-site scripting. An attacker could conduct a targeted phishing campaign, in order to trick users or admins into clicking a malicious link, which under very specific circumstances could give them information or possibly admin access. Versions 5.0.13, 4.1.69, and 4.0.63 patch the issue. As a workaround, manually look inside error views in `resources/views/errors` and output `e($exception->getMessage())` instead of `$exception->getMessage()`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2022-31114
EUVD
EUVD-2022-55999
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
laravel_backpack crud to 5.0.12 (exc)
laravel_backpack crud to 4.1.69 (exc)
laravel_backpack crud to 4.0.63 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2022-31114 is a Cross-site Scripting (XSS) vulnerability in the Laravel-Backpack/CRUD package. It occurs because the package does not properly neutralize input when generating web pages, which can allow attackers to inject malicious scripts.

Under very specific circumstances, an attacker could exploit this vulnerability by tricking users or administrators into clicking a malicious link, potentially leading to information disclosure or unauthorized admin access.

The vulnerability affects versions prior to 5.0.13, 4.1.69, and 4.0.63 of the Backpack/CRUD package. It can be mitigated by updating to patched versions or manually escaping exception messages in error views.

Impact Analysis

This vulnerability can impact you by enabling attackers to conduct targeted phishing campaigns that trick users or administrators into clicking malicious links.

If exploited, it could lead to the disclosure of sensitive information or potentially grant attackers unauthorized administrative access to your system.

Detection Guidance

This vulnerability is a Cross-site Scripting (XSS) issue in Laravel-Backpack/CRUD caused by improper neutralization of input in error views. Detection involves checking the version of the backpack/crud package installed and inspecting error views for unescaped exception messages.

  • Check the installed version of backpack/crud with the command: composer show backpack/crud
  • Look inside the error views directory for unescaped exception messages: grep -r '\$exception->getMessage()' resources/views/errors
  • If unescaped exception messages are found (i.e., without the escaping function e()), the system is vulnerable.
Mitigation Strategies

To mitigate this vulnerability immediately, update the backpack/crud package to a patched version and fix the error views.

  • Run the command: composer update backpack/crud to update to a fixed version (5.0.13, 4.1.69, or 4.0.63 or later).
  • Run the command: php artisan backpack:fix to patch published error views automatically.
  • Alternatively, manually edit error views in resources/views/errors to replace $exception->getMessage() with e($exception->getMessage()) to escape output.
Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-31114. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart