Laravel: Security Vulnerabilities
The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page.
CVSS Score
8.0
EPSS Score
0.0
Published
2025-03-10
The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page.
CVSS Score
8.0
EPSS Score
0.0
Published
2025-03-10
Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a “.php” file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute “.php” files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score
9.8
EPSS Score
0.002
Published
2024-10-08
Cross-Site Request Forgery (CSRF) vulnerability in livewire before v3.0.4, allows remote attackers to execute arbitrary code getCsrfToken function. NOTE: the vendor disputes this because the 5d88731 commit fixes a usability problem (HTTP 419 status codes for legitimate client activity), not a security problem.
CVSS Score
8.8
EPSS Score
0.02
Published
2024-02-01
The authentication method in Laravel 8.x through 9.x before 9.32.0 was discovered to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing. This is caused by the early return inside the hasValidCredentials method in the Illuminate\Auth\SessionGuard class when a user is found to not exist.
CVSS Score
5.3
EPSS Score
0.002
Published
2023-04-25
A deserialization vulnerability in the destruct() function of Laravel v8.5.9 allows attackers to execute arbitrary commands.
CVSS Score
9.8
EPSS Score
0.002
Published
2023-04-19
A vulnerability, which was classified as critical, was found in Laravel 5.1. Affected is an unknown function. The manipulation leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-206688.
CVSS Score
5.0
EPSS Score
0.001
Published
2022-08-19
A vulnerability was found in laravel 5.1 and classified as problematic. This issue affects some unknown processing. The manipulation leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-206501 was assigned to this vulnerability.
CVSS Score
4.1
EPSS Score
0.001
Published
2022-08-17
Laravel Fortify before 1.11.1 allows reuse within a short time window, thus calling into question the "OT" part of the "TOTP" concept.
CVSS Score
8.1
EPSS Score
0.003
Published
2022-02-24
OS Command injection vulnerability in function link in Filesystem.php in Laravel Framework before 5.8.17.
CVSS Score
8.8
EPSS Score
0.043
Published
2021-12-20
Page 1