1795 matches found
Scramble Laravel - Remote Code Execution
Scramble for Laravel = 0.13.2 and = 0.13.2 and 0.13.22 contains a remote code execution caused by evaluation of user-controlled input in validation rules during documentation generation, letting remote attackers execute arbitrary PHP code, exploit requires publicly accessible documentation...
Laravel Filemanager v2.5.1 - Local File Inclusion
Laravel Filemanager aka UniSharp through version 2.5.1 is vulnerable to local file inclusion via download?workingdir=%2F. id: CVE-2022-40734 info: name: Laravel Filemanager v2.5.1 - Local File Inclusion author: arafatansari severity: medium description: | Laravel Filemanager aka UniSharp through...
CVE-2026-49972
CVE-2026-49972 affects Laravel-Mediable prior to 7.0.0. A file upload vulnerability enables unauthenticated remote code execution via a double extension (e.g., shell.php.jpg). The attacker relies on PATHINFO_FILENAME preserving the inner .php extension in the base name, and on misconfigured serve...
CVE-2026-49972 Laravel-Mediable < 7.0.0 File Upload RCE via Extension Bypass
Laravel-Mediable before 7.0.0 contains a file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading a file with an embedded PHP extension disguised within a double extension such as shell.php.jpg. The PATHINFOFILENAME extraction preserves the inn...
CVE-2026-49972
Laravel-Mediable before 7.0.0 contains a file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading a file with an embedded PHP extension disguised within a double extension such as shell.php.jpg. The PATHINFOFILENAME extraction preserves the inn...
CVE-2026-49971
Laravel-Mediable before 7.0.0 has a stored XSS in SVG file uploads. Both authenticated and anonymous users can upload unsanitized SVG files containing scripts (onload handlers, script tags, or foreignObject) which can store persistent XSS payloads. When victims view or preview the SVG, the payloa...
CVE-2026-49971 Laravel-Mediable < 7.0.0 Stored XSS via SVG File Upload
Laravel-Mediable before 7.0.0 contains a stored cross-site scripting vulnerability that allows authenticated or anonymous users to execute arbitrary JavaScript by uploading unsanitized SVG files containing embedded scripts in onload event handlers, script tags, or foreignObject elements. Attacker...
CVE-2026-49970
Vulnerability summary: Laravel-Mediable before 7.0.0 contains a path traversal flaw in File::sanitizePath() that lets attackers write uploaded files to arbitrary locations via MediaUploader::toDestination(), due to a permissive regex allowing dot/slash and a weak trailing trim. This can enable re...
CVE-2026-49970 Laravel-Mediable < 7.0.0 Path Traversal via File::sanitizePath()
Laravel-Mediable before 7.0.0 contains a path traversal vulnerability in the File::sanitizePath function that allows attackers to write uploaded files to arbitrary locations by controlling the directory argument passed to MediaUploader::toDestination. Attackers can exploit the permissive...
CVE-2026-49969
Vulnerability overview: Laravel-Mediable
CVE-2026-49969 Laravel-Mediable < 7.0.0 SSRF via RemoteUrlAdapter URL Handling
Laravel-Mediable before 7.0.0 contains a server-side request forgery vulnerability that allows remote attackers to issue arbitrary HTTP requests from the server by supplying unvalidated caller-controlled URLs to endpoints backed by MediaUploader::fromSource. Attackers can craft URLs targeting...
Laravel <5.5.21 - Information Disclosure
Laravel through 5.5.21 is susceptible to information disclosure. An attacker can obtain sensitive information such as externally usable passwords via a direct request for the /.env URI. NOTE: CVE pertains only to the writeNewEnvironmentFileWith function in...
PT-2026-57850
Name of the Vulnerable Software and Affected Versions Laravel-Mediable versions prior to 7.0.0 Description An issue exists where unauthenticated attackers can achieve remote code execution by uploading files with double extensions, such as shell.php.jpg. The PATHINFO FILENAME extraction preserves...
Laravel Livewire v3 - Remote Command Execution
Livewire v3 Laravel contains a vulnerability in its component hydration/update mechanism that can be exploited to reach remote command execution RCE without authentication under certain conditions. id: CVE-2025-54068 info: name: Laravel Livewire v3 - Remote Command Execution author: flame-11...
CVE-2026-57958
Summary: Mixpost
EUVD-2026-40143
Mixpost through 2.6.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers by crafting malicious OAuth callback URLs with unsanitized error query parameters. Attackers can exploit the OAuth...
OctoberCMS - Account Takeover
octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5. id:...
EUVD-2026-38392
Filament: Multi-factor authentication app recovery codes can still be used multiple times via concurrent submission...
EUVD-2026-38393
Filament: Timing-based user enumeration on login page...
CVE-2026-48167 Filament: Unvalidated ImageColumn and ImageEntry values can be used for XSS
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the ImageColumn and ImageEntry components render raw database values without escaping HTML. Where the data passed to these components isn't validated, an attacker could plant...