Laravel Framework vulnerabilities

CVE-2024-13919 [MEDIUM] CWE-79 CVE-2024-13919: The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site sc The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page.

CVE-2024-13918 [MEDIUM] CWE-79 CVE-2024-13918: The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site sc The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page.

CVE-2025-27515 [MEDIUM] CWE-155 CVE-2025-27515: Laravel is a web application framework. When using wildcard validation to validate a given file or i Laravel is a web application framework. When using wildcard validation to validate a given file or image field (`files.*`), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.

CVE-2024-52301 [HIGH] CWE-88 CVE-2024-52301: Laravel is a web application framework. When the register_argc_argv php directive is set to on , and Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignor

CVE-2022-40482 [MEDIUM] CWE-203 CVE-2022-40482: The authentication method in Laravel 8.x through 9.x before 9.32.0 was discovered to be vulnerable t The authentication method in Laravel 8.x through 9.x before 9.32.0 was discovered to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing. This is caused by the early return inside the hasValidCredentials method in the Illuminate\Auth\SessionGuard class when a user is found to not exist.

CVE-2017-14775 [MEDIUM] CWE-200 Laravel Sensitive Data Exposure Laravel Sensitive Data Exposure Laravel before 5.5.10 mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-time token comparison.

CVE-2017-9303 [MEDIUM] CWE-20 Laravel does not properly constrain the host portion of a password-reset URL Laravel does not properly constrain the host portion of a password-reset URL Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a password-reset URL, which makes it easier for remote attackers to conduct phishing attacks by specifying an attacker-controlled host.

CVE-2019-9081 [CRITICAL] CWE-502 Laravel Framework Deserialization Vulnerability Laravel Framework Deserialization Vulnerability The Illuminate component of Laravel Framework 5.7.x has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the `__destruct` method of the PendingCommand class in `PendingCommand.php`.

CVE-2018-15133 [HIGH] CWE-502 Laravel Framework RCE Vulnerability Laravel Framework RCE Vulnerability In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in `Illuminate/Encryption/Encrypter.php` and PendingBroadcast in `gadgetchains/Laravel/RCE/3/chain.php` in phpggc. The attacker must know the application key, which normally would never

CVE-2020-19316 [HIGH] CWE-78 CVE-2020-19316: OS Command injection vulnerability in function link in Filesystem.php in Laravel Framework before 5. OS Command injection vulnerability in function link in Filesystem.php in Laravel Framework before 5.8.17.

CVE-2021-43808 [MEDIUM] CWE-79 CVE-2021-43808: Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contai Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user taken to another location in their browser due to XSS. This is due to the user being able to guess the parent placeh

CVE-2021-43617 [CRITICAL] CWE-434 CVE-2021-43617: Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content be Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports conc

CVE-2020-24941 [HIGH] CWE-863 Improper Input Validation in Laravel Improper Input Validation in Laravel An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $guarded property is mishandled in some situations involving requests with JSON column nesting expressions.

CVE-2021-21263 [MEDIUM] CWE-74 CVE-2021-21263: Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contai Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its

CVE-2018-6330 [HIGH] CWE-89 CVE-2018-6330: Laravel 5.4.15 is vulnerable to Error based SQL injection in save.php via dhx_user and dhx_version p Laravel 5.4.15 is vulnerable to Error based SQL injection in save.php via dhx_user and dhx_version parameters.