9 matches found
CVE-2024-52301
CVE-2024-52301 affects the Laravel framework. When the PHP directive register_argc_argv is on, a crafted query string can alter the request-handling environment on non-cli SAPIs. This article notes the fix: Laravel now ignores argv values for environment detection on non-cli SAPIs, and the vulner...
CVE-2025-27515
CVE-2025-27515 affects Laravel: wildcard file/image validation (files.*) can bypass rules during upload. Root cause is improper handling of array-based uploads, enabling a user-controlled bypass. Fixed in Laravel releases 11.44.1 and 12.1.1. A PoC exploiting a wildcard validation bypass exists in...
CVE-2024-13919
The CVE-2024-13919 entry concerns Laravel framework versions 11.9.0 to 11.35.1, which are vulnerable to reflected cross-site scripting due to improper encoding of route parameters on the debug-mode error page. Affected component: Laravel routing/debug-mode error page handling. Root cause (as stat...
CVE-2021-43617
CVE-2021-43617 affects Laravel Framework up to 8.70.2. Root cause: Illuminate/Validation/Concerns/ValidatesAttributes.php does not check for .phar files, which Debian systems treat as application/x-httpd-php, enabling executable PHP content uploads in some scenarios. Debian project references sho...
CVE-2020-19316
The CVE-2020-19316 entry describes an OS command injection in Laravel Framework’s Filesystem.php, specifically in the link() function, affecting versions before 5.8.17. Evidence from multiple sources confirms the vulnerability affects Laravel’s file linking logic, enabling an attacker to inject a...
CVE-2021-43808
Technical details on CVE-2021-43808 are not publicly available in the provided connected documents. Monitor for updates.
CVE-2024-13918
CVE-2024-13918 (Laravel) affects Laravel framework versions 11.9.0 through 11.35.1, where a reflected cross-site scripting vulnerability arises from improper encoding of request parameters in the debug-mode error page. The root cause is the failure to encoding user input on the debug error page, ...
CVE-2022-40482
The CVE-2022-40482 issue affects Laravel 8.x–9.x prior to 9.32.0. The vulnerability arises in the authentication path where hasValidCredentials in Illuminate\Auth\SessionGuard may return early when a user does not exist, enabling timeless timing attacks over HTTP/2 multiplexing and potential user...
CVE-2018-6330
CVE-2018-6330 affects Laravel 5.4.15 and is described as an error-based SQL injection in save.php that can be triggered via the dhx_user and dhx_version parameters. The connected records consistently identify this as a Laravel SQL injection vulnerability in version 5.4.15, caused by improper hand...