CVE-2025-70841

Dokans Multi-Tenancy Based eCommerce Platform SaaS version 3.9.2 is vulnerable to unauthenticated remote access to the /script/.env file. The exposure reveals sensitive data including the Laravel APP_KEY, database credentials, SMTP/SendGrid API credentials, and internal configuration parameters, ...

CVE-2025-70841

Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key APPKEY, database credentials, SMTP/SendGrid API...

GHSA-9G95-48C6-R778 Livewire Filemanager does not restrict uploaded file types

Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup proce...

CVE-2025-14894

Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup proce...

PT-2025-39883

Name of the Vulnerable Software and Affected Versions Vasion Print versions prior to 22.0.1026 Vasion Print Application versions prior to 20.0.2702 Description Vasion Print formerly PrinterLogic Virtual Appliance Host and Application deployments expose unauthenticated REST API endpoints. These...

CVE-2025-34206 Vasion Print (formerly PrinterLogic) Insecure Shared Storage Permissions

Vasion Print formerly PrinterLogic Virtual Appliance Host and Application VA and SaaS deployments mount host configuration and secret material under /var/www/efsstorage into many Docker containers with overly-permissive filesystem permissions. Files such as secrets.env, GPG-encrypted blobs in...

Deserialization of Untrusted Data

Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the deserialization process. An attacker can execute arbitrary code or manipulate application data by providing crafted serialized...

CVE-2023-36825

Orchid is a Laravel package that allows application development of back-office applications, admin/user panels, and dashboards. A vulnerability present starting in version 14.0.0-alpha4 and prior to version 14.5.0 is related to the deserialization of untrusted data from the state query parameter,...

PT-2024-36552 · Unknown · Crater Invoice

Name of the Vulnerable Software and Affected Versions: Crater Invoice affected versions not specified Description: A vulnerability in Crater Invoice allows an unauthenticated attacker with knowledge of the APP KEY to achieve remote command execution on the server by manipulating the laravel sessi...

PT-2024-34540 · Unknown · Laravel Cms

Name of the Vulnerable Software and Affected Versions: Laravel CMS versions 1.4.7 and earlier Description: The issue allows a remote attacker to execute arbitrary code via the shell.php component. This is made possible by a file upload vulnerability. Recommendations: For Laravel CMS versions 1.4....

Unrestricted Upload of File with Dangerous Type in unisharp/laravel-filemanager

This affects the package unisharp/laravel-filemanager prior to version 2.6.2. The upload function does not sufficiently validate the file type when uploading. An attacker may be able to reproduce the following steps: - Install a package with a web Laravel application. - Navigate to the Upload...