Lucene search
K

1789 matches found

CVE
CVE
added yesterday7 views

CVE-2026-49972

CVE-2026-49972 affects Laravel-Mediable prior to 7.0.0. A file upload vulnerability enables unauthenticated remote code execution via a double extension (e.g., shell.php.jpg). The attacker relies on PATHINFO_FILENAME preserving the inner .php extension in the base name, and on misconfigured serve...

8.8CVSS6.5AI score
Exploits0References3
CVE
CVE
added yesterday10 views

CVE-2026-49971

Laravel-Mediable before 7.0.0 has a stored XSS in SVG file uploads. Both authenticated and anonymous users can upload unsanitized SVG files containing scripts (onload handlers, script tags, or foreignObject) which can store persistent XSS payloads. When victims view or preview the SVG, the payloa...

6.1CVSS6.3AI score
Exploits0References3
CVE
CVE
added yesterday9 views

CVE-2026-49970

Vulnerability summary: Laravel-Mediable before 7.0.0 contains a path traversal flaw in File::sanitizePath() that lets attackers write uploaded files to arbitrary locations via MediaUploader::toDestination(), due to a permissive regex allowing dot/slash and a weak trailing trim. This can enable re...

8.8CVSS6.3AI score
Exploits0References3
CVE
CVE
added yesterday7 views

CVE-2026-49969

Vulnerability overview: Laravel-Mediable

7.4CVSS6.2AI score
Exploits0References3
Nuclei
Nuclei
added yesterday586 views

Laravel Filemanager v2.5.1 - Local File Inclusion

Laravel Filemanager aka UniSharp through version 2.5.1 is vulnerable to local file inclusion via download?workingdir=%2F. id: CVE-2022-40734 info: name: Laravel Filemanager v2.5.1 - Local File Inclusion author: arafatansari severity: medium description: | Laravel Filemanager aka UniSharp through...

6.5CVSS6.6AI score0.04056EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday147 views

Laravel <5.5.21 - Information Disclosure

Laravel through 5.5.21 is susceptible to information disclosure. An attacker can obtain sensitive information such as externally usable passwords via a direct request for the /.env URI. NOTE: CVE pertains only to the writeNewEnvironmentFileWith function in...

7.5CVSS7AI score0.8703EPSS
Exploits4References5
Nuclei
Nuclei
added yesterday13 views

Scramble Laravel - Remote Code Execution

Scramble for Laravel = 0.13.2 and = 0.13.2 and 0.13.22 contains a remote code execution caused by evaluation of user-controlled input in validation rules during documentation generation, letting remote attackers execute arbitrary PHP code, exploit requires publicly accessible documentation...

9.4CVSS6.6AI score0.0586EPSS
Exploits3References3
Nuclei
Nuclei
added 2026/07/02 9:36 a.m.40 views

Laravel Livewire v3 - Remote Command Execution

Livewire v3 Laravel contains a vulnerability in its component hydration/update mechanism that can be exploited to reach remote command execution RCE without authentication under certain conditions. id: CVE-2025-54068 info: name: Laravel Livewire v3 - Remote Command Execution author: flame-11...

9.8CVSS7.7AI score0.95376EPSS
Exploits5References5
CVE
CVE
added 2026/06/29 5:23 p.m.22 views

CVE-2026-57958

Summary: Mixpost

6.1CVSS5.9AI score0.00168EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/29 5:23 p.m.10 views

EUVD-2026-40143

Mixpost through 2.6.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers by crafting malicious OAuth callback URLs with unsanitized error query parameters. Attackers can exploit the OAuth...

6.1CVSS5.9AI score0.00168EPSS
Exploits0References2
Nuclei
Nuclei
added 2026/06/28 3:8 p.m.48 views

OctoberCMS - Account Takeover

octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5. id:...

9.1CVSS7.5AI score0.90418EPSS
Exploits1References3
EUVD
EUVD
added 2026/06/25 6:45 p.m.8 views

EUVD-2026-38392

Filament: Multi-factor authentication app recovery codes can still be used multiple times via concurrent submission...

7.4CVSS5.8AI score0.00193EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/23 9:54 p.m.11 views

EUVD-2026-38393

Filament: Timing-based user enumeration on login page...

5.3CVSS5.8AI score0.0021EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/22 9:43 p.m.25 views

CVE-2026-48167 Filament: Unvalidated ImageColumn and ImageEntry values can be used for XSS

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the ImageColumn and ImageEntry components render raw database values without escaping HTML. Where the data passed to these components isn't validated, an attacker could plant...

6.4CVSS0.00148EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/22 12:0 a.m.19 views

PT-2026-51387

Name of the Vulnerable Software and Affected Versions Filament versions 4.0.0 through 4.11.4 Filament versions 5.0.0 through 5.6.4 Description The login page contains a timing discrepancy that enables unauthenticated attackers to perform email enumeration. This allows an attacker to determine if ...

5.3CVSS5.9AI score0.0021EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/22 12:0 a.m.19 views

PT-2026-51388

Name of the Vulnerable Software and Affected Versions Filament versions prior to 4.11.5 Filament versions prior to 5.6.5 Description The ImageColumn and ImageEntry components render raw database values without escaping HTML. If the data passed to these components is not validated, an attacker can...

6.4CVSS5.9AI score0.00148EPSS
Exploits0References4
Nuclei
Nuclei
added 2026/06/16 7:13 a.m.780 views

Laravel with Ignition <= v8.4.2 Debug Mode - Remote Code Execution

Laravel version 8.4.2 and before with Ignition before 2.5.2 allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of filegetcontents and fileputcontents. This is exploitable on sites using debug mode with Laravel before 8.4.2. id: CVE-2021-3129 info: name:...

9.8CVSS8.6AI score0.99943EPSS
Exploits36References5
NVD
NVD
added 2026/06/10 10:16 p.m.14 views

CVE-2026-44692

Sharp is a content management framework built for Laravel as a package. Prior to version 9.22.0, Sharp exposes a generic download endpoint that authorizes access only to the supplied Sharp entity instance, but then reads the target storage disk and path from request parameters. Because the...

7.7CVSS0.00262EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/10 8:3 p.m.10 views

CVE-2026-44692 Authenticated Sharp users can download unrelated Laravel Storage objects through the generic download endpoint

Sharp is a content management framework built for Laravel as a package. Prior to version 9.22.0, Sharp exposes a generic download endpoint that authorizes access only to the supplied Sharp entity instance, but then reads the target storage disk and path from request parameters. Because the...

7.7CVSS5.5AI score0.00262EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/10 8:3 p.m.29 views

CVE-2026-44692 Authenticated Sharp users can download unrelated Laravel Storage objects through the generic download endpoint

Sharp is a content management framework built for Laravel as a package. Prior to version 9.22.0, Sharp exposes a generic download endpoint that authorizes access only to the supplied Sharp entity instance, but then reads the target storage disk and path from request parameters. Because the...

7.7CVSS0.00262EPSS
Exploits0References2
Rows per page
Query Builder