High severityOSV Advisory· Published Jan 16, 2026· Updated Jan 16, 2026
CVE-2025-14894
CVE-2025-14894
Description
Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup process within Laravel applications has been completed.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
livewire-filemanager/filemanagerPackagist | <= 1.0.4 | — |
Affected products
1- Range: v0.1.0, v0.1.31, v0.1.32, …
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-9g95-48c6-r778ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-14894ghsaADVISORY
- github.com/livewire-filemanager/filemanager/blob/master/docs.mdghsaWEB
- hackingbydoing.wixsite.com/hackingbydoing/post/unauthenticated-rce-in-livewire-filemanagerghsaWEB
- www.kb.cert.org/vuls/id/650657ghsaWEB
News mentions
0No linked articles in our index yet.