CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13919 – Laravel Reflected XSS via Route Parameter in Debug-Mode Error Page
https://notcve.org/view.php?id=CVE-2024-13919
10 Mar 2025 — The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page. • https://github.com/laravel/framework/pull/53869 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13918 – Laravel Reflected XSS via Request Parameter in Debug-Mode Error Page
https://notcve.org/view.php?id=CVE-2024-13918
10 Mar 2025 — The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page. • https://github.com/laravel/framework/pull/53869 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-27515 – Laravel has a File Validation Bypass
https://notcve.org/view.php?id=CVE-2025-27515
05 Mar 2025 — Laravel is a web application framework. When using wildcard validation to validate a given file or image field (`files.*`), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1. • https://github.com/laravel/framework/commit/2d133034fefddfb047838f4caca3687a3ba811a5 • CWE-155: Improper Neutralization of Wildcards or Matching Symbols •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55661 – Laravel Pulse Allows Remote Code Execution via Unprotected Query Method
https://notcve.org/view.php?id=CVE-2024-55661
13 Dec 2024 — Laravel Pulse is a real-time application performance monitoring tool and dashboard for Laravel applications. A vulnerability has been discovered in Laravel Pulse prior to version 1.3.1 that could allow remote code execution through the public `remember()` method in the `Laravel\Pulse\Livewire\Concerns\RemembersQueries` trait. This method is accessible via Livewire components and can be exploited to call arbitrary callables within the application. An authenticated user with access to Laravel Pulse dashboard ... • https://github.com/laravel/pulse/commit/d1a5bf2eca36c6e3bedb4ceecd45df7d002a1ebc • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52306 – FileManager Deserialization of Untrusted Data
https://notcve.org/view.php?id=CVE-2024-52306
13 Nov 2024 — FileManager provides a Backpack admin interface for files and folder. Prior to 3.0.9, deserialization of untrusted data from the mimes parameter could lead to remote code execution. This vulnerability is fixed in 3.0.9. • https://github.com/Laravel-Backpack/FileManager/commit/2830498b85e05fb3c92179053b4d7c4a0fdb880b • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.7EPSS: 26%CPEs: 6EXPL: 3CVE-2024-52301 – Laravel allows environment manipulation via query string
https://notcve.org/view.php?id=CVE-2024-52301
12 Nov 2024 — Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs. • https://github.com/Nyamort/CVE-2024-52301 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-50347 – Laravel Reverb has Missing API Signature Verification
https://notcve.org/view.php?id=CVE-2024-50347
31 Oct 2024 — Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. Prior to 1.4.0, there is an issue where verification signatures for requests sent to Reverb's Pusher-compatible API were not being verified. This API is used in scenarios such as broadcasting a message from a backend service or for obtaining statistical information (such as number of connections) about a given channel. This issue only affects the Pusher-compatible API endpoints and not the WebSocket connections the... • https://github.com/laravel/reverb/commit/73cc140d76e803b151fc2dd2e4eb3eb784a82ee2 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.5EPSS: 6%CPEs: 1EXPL: 2CVE-2024-29291 – Laravel Framework 11 - Credential Leakage
https://notcve.org/view.php?id=CVE-2024-29291
16 Apr 2024 — An issue in Laravel Framework 8 through 11 might allow a remote attacker to discover database credentials in storage/logs/laravel.log. NOTE: this is disputed by multiple third parties because the owner of a Laravel Framework installation can choose to have debugging logs, but needs to set the access control appropriately for the type of data that may be logged. Un problema en Laravel Framework 8 a 11 podría permitir que un atacante remoto descubra las credenciales de la base de datos en Storage/logs/laravel... • https://packetstorm.news/files/id/178210 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21504
https://notcve.org/view.php?id=CVE-2024-21504
19 Mar 2024 — Versions of the package livewire/livewire from 3.3.5 and before 3.4.9 are vulnerable to Cross-site Scripting (XSS) when a page uses [Url] for a property. An attacker can inject HTML code in the context of the user's browser session by crafting a malicious link and convincing the user to click on it. Las versiones del paquete livewire/livewire desde 3.3.5 y anteriores a 3.4.9 son vulnerables a Cross-site Scripting (XSS) cuando una página usa [Url] para una propiedad. Un atacante puede inyectar código HTML en... • https://github.com/livewire/livewire/commit/c65b3f0798ab2c9338213ede3588c3cdf4e6fcc0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22859
https://notcve.org/view.php?id=CVE-2024-22859
01 Feb 2024 — Cross-Site Request Forgery (CSRF) vulnerability in livewire before v3.0.4, allows remote attackers to execute arbitrary code getCsrfToken function. NOTE: the vendor disputes this because the 5d88731 commit fixes a usability problem (HTTP 419 status codes for legitimate client activity), not a security problem. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en livewire anterior a v3.0.4, permite a atacantes remotos ejecutar código arbitrario en la función getCsrfToken. • https://github.com/github/advisory-database/pull/3490 • CWE-352: Cross-Site Request Forgery (CSRF) •