CVE-2022-31114: backpack/crud is vulnerable to Cross-Site Scripting (XSS)

June 3, 2026 (updated June 4, 2026)

It’s a “moderate” vulnerability… but being an admin panel, take this seriously. It’s difficult… but an attacker could conduct a targeted phishing campaign, in order to trick your users or admins to click a malicious link, which under very specific circumstances could give them information… or even admin access. It’s unlikely, but that’s not good enough in admin panels - It should be made impossible. That’s why you are bothered with this.

References

backpackforlaravel.com/articles/news/we-recommend-you-fix-this-vulnerability
github.com/Laravel-Backpack/CRUD/security/advisories/GHSA-m8xx-3x29-84h8
github.com/advisories/GHSA-m8xx-3x29-84h8
nvd.nist.gov/vuln/detail/CVE-2022-31114

Code Behaviors & Features

Detect and mitigate CVE-2022-31114 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →