Livewire is vulnerable to remote command execution during component property update hydration

Impact In Livewire v3 ≤ 3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions...

CVE-2025-54068 Livewire vulnerable to remote command execution during property update hydration

Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is...

PT-2025-29947

Name of the Vulnerable Software and Affected Versions Livewire versions 3.0.0 through 3.6.3 Description An issue in the Livewire full-stack framework for Laravel allows unauthenticated attackers to achieve remote command execution in specific scenarios. The problem arises from unsafe object...

CVE-2024-47823

Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to 2.12.7 and v3.5.2, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not...

Remote Code Execution (RCE)

livewire/livewire is vulnerable to Remote Code Execution RCE. The vulnerability is due to the framework's file upload mechanism that only guesses the file extension based on the MIME type, allowing attackers to bypass security measures and upload malicious files...

Insufficient Type Distinction

Overview livewire/livewire is an A front-end framework for Laravel. Affected versions of this package are vulnerable to Insufficient Type Distinction when validating uploaded files in the generateHashNameWithOriginalNameEmbedded function. An attacker can execute code by uploading a file with a...

PT-2024-19589 · Livewire · Livewire

Name of the Vulnerable Software and Affected Versions: livewire versions prior to 3.0.4 Description: A Cross-Site Request Forgery CSRF issue allows remote attackers to execute arbitrary code via the getCsrfToken function. The vendor disputes this, stating that the 5d88731 commit fixes a usability...

Livewire Cross-Site Request Forgery Vulnerability

Livewire is a full-stack framework for Laravel that allows you to build dynamic UI components without leaving PHP. A cross-site request forgery vulnerability exists in Livewire versions prior to v3.0.4, which originates from a vulnerability that allows remote attackers to execute arbitrary code v...