CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13919 – Laravel Reflected XSS via Route Parameter in Debug-Mode Error Page
https://notcve.org/view.php?id=CVE-2024-13919
10 Mar 2025 — The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page. • https://github.com/laravel/framework/pull/53869 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13918 – Laravel Reflected XSS via Request Parameter in Debug-Mode Error Page
https://notcve.org/view.php?id=CVE-2024-13918
10 Mar 2025 — The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page. • https://github.com/laravel/framework/pull/53869 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-28254
https://notcve.org/view.php?id=CVE-2021-28254
18 Apr 2023 — A deserialization vulnerability in the destruct() function of Laravel v8.5.9 allows attackers to execute arbitrary commands. • https://s1mple-top.github.io/2021/03/09/Laravel8-new-pop-chain-mining-process • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.3EPSS: 42%CPEs: 1EXPL: 2CVE-2023-24249
https://notcve.org/view.php?id=CVE-2023-24249
27 Feb 2023 — An arbitrary file upload vulnerability in laravel-admin v1.8.19 allows attackers to execute arbitrary code via a crafted PHP file. • https://github.com/IDUZZEL/CVE-2023-24249-Exploit • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-4262 – laravel-jqgrid EloquentRepositoryAbstract.php getRows sql injection
https://notcve.org/view.php?id=CVE-2021-4262
19 Dec 2022 — A vulnerability classified as critical was found in laravel-jqgrid. Affected by this vulnerability is the function getRows of the file src/Mgallegos/LaravelJqgrid/Repositories/EloquentRepositoryAbstract.php. The manipulation leads to sql injection. The name of the patch is fbc2d94f43d0dc772767a5bdb2681133036f935e. It is recommended to apply a patch to fix this issue. • https://github.com/mgallegos/laravel-jqgrid/commit/fbc2d94f43d0dc772767a5bdb2681133036f935e • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-707: Improper Neutralization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2886 – Laravel deserialization
https://notcve.org/view.php?id=CVE-2022-2886
19 Aug 2022 — A vulnerability, which was classified as critical, was found in Laravel 5.1. Affected is an unknown function. The manipulation leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/beicheng-maker/vulns/issues/3 • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2870 – laravel deserialization
https://notcve.org/view.php?id=CVE-2022-2870
17 Aug 2022 — A vulnerability was found in laravel 5.1 and classified as problematic. This issue affects some unknown processing. The manipulation leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/beicheng-maker/vulns/issues/2 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.2EPSS: 2%CPEs: 3EXPL: 0CVE-2021-21263 – Query Binding Exploitation in Laravel
https://notcve.org/view.php?id=CVE-2021-21263
19 Jan 2021 — Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply l... • https://blog.laravel.com/security-laravel-62011-7302-8221-released • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 94%CPEs: 2EXPL: 36CVE-2021-3129 – Laravel Ignition File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2021-3129
12 Jan 2021 — Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2. Ignition versiones anteriores a 2.5.2, como es usado en Laravel y otros productos, permite a atacantes remotos no autenticados ejecutar código arbitrario debido a un uso no seguro de las funciones file_get_contents() y file_put_contents(... • https://packetstorm.news/files/id/165999 •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-24940
https://notcve.org/view.php?id=CVE-2020-24940
04 Sep 2020 — An issue was discovered in Laravel before 6.18.34 and 7.x before 7.23.2. Unvalidated values are saved to the database in some situations in which table names are stripped during a mass assignment. Se detectó un problema en Laravel versiones anteriores a 6.18.34 y versiones 7.x anteriores a 7.23.2. Los valores no validados se guardan en la base de datos en algunas situaciones en las que los nombres de las tablas son eliminados durante una asignación masiva • https://blog.laravel.com/security-release-laravel-61834-7232 • CWE-20: Improper Input Validation •