VYPR
High severity8.1CISA KEVNVD Advisory· Published Aug 9, 2018· Updated Jun 17, 2026

CVE-2018-15133

CVE-2018-15133

Description

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
laravel/frameworkPackagist
<= 5.5.40
laravel/frameworkPackagist
>= 5.6.0, < 5.6.305.6.30

Affected products

1

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.