Framework Security Vulnerabilities and Issues — Framework CVE List

Lucene search

LaravelFramework

11 matches found

CVE•added 2024/04/16 11:15 p.m.•7302 views

CVE-2024-29291

An issue in Laravel Framework 8 through 11 might allow a remote attacker to discover database credentials in storage/logs/laravel.log. NOTE: this is disputed by multiple third parties because the owner of a Laravel Framework installation can choose to have debugging logs, but needs to set the acces...

6.8AI score0.07587EPSS

CVE•added 2024/11/12 8:15 p.m.•375 views

CVE-2024-52301

Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, ...

8.7CVSS6.8AI score0.11329EPSS

CVE•added 2021/01/19 8:15 p.m.•140 views

CVE-2021-21263

Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an a...

7.2CVSS5.3AI score0.02179EPSS

CVE•added 2021/11/14 4:15 p.m.•119 views

CVE-2021-43617

Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Larav...

9.8CVSS9.4AI score0.50067EPSS

CVE•added 2021/12/08 12:15 a.m.•94 views

CVE-2021-43808

Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user taken to another location in their browser due to XSS. This is ...

6.1CVSS5.4AI score0.00359EPSS

CVE•added 2021/12/20 8:15 p.m.•89 views

CVE-2020-19316

OS Command injection vulnerability in function link in Filesystem.php in Laravel Framework before 5.8.17.

8.8CVSS8.8AI score0.04286EPSS

CVE•added 2025/03/05 7:15 p.m.•87 views

CVE-2025-27515

Laravel is a web application framework. When using wildcard validation to validate a given file or image field (files.*), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.

6.9CVSS7AI score0.00024EPSS

CVE•added 2023/04/25 7:15 p.m.•77 views

CVE-2022-40482

The authentication method in Laravel 8.x through 9.x before 9.32.0 was discovered to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing. This is caused by the early return inside the hasValidCredentials method in the Illuminate\Auth\SessionGuard class when a user...

5.3CVSS5.3AI score0.00298EPSS

CVE•added 2019/03/28 4:29 p.m.•69 views

CVE-2018-6330

Laravel 5.4.15 is vulnerable to Error based SQL injection in save.php via dhx_user and dhx_version parameters.

8.8CVSS9AI score0.00303EPSS

CVE•added 2025/03/10 10:15 a.m.•65 views

CVE-2024-13919

The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page.

8CVSS6.4AI score0.00018EPSS

CVE•added 2025/03/10 10:15 a.m.•60 views

CVE-2024-13918

The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page.

8CVSS6.4AI score0.00031EPSS