Packagist (Composer) package
laravel/framework
pkg:composer/laravel/framework
Vulnerabilities (12)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-13919 | — | >= 11.9.0, < 11.36.0 | 11.36.0 | Mar 10, 2025 | The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page. | ||
| CVE-2024-13918 | — | >= 11.9.0, < 11.36.0 | 11.36.0 | Mar 10, 2025 | The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page. | ||
| CVE-2025-27515 | — | >= 12.0.0, < 12.1.1 | 12.1.1 | Mar 5, 2025 | Laravel is a web application framework. When using wildcard validation to validate a given file or image field (`files.*`), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1. | ||
| CVE-2024-52301 | — | < 6.20.45 | 6.20.45 | Nov 12, 2024 | Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45 | ||
| CVE-2020-19316 | — | < 5.8.17 | 5.8.17 | Dec 20, 2021 | OS Command injection vulnerability in function link in Filesystem.php in Laravel Framework before 5.8.17. | ||
| CVE-2021-43808 | — | < 6.20.42 | 6.20.42 | Dec 7, 2021 | Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user taken to another location in their browser d | ||
| CVE-2021-43617 | — | <= 8.70.2 | — | Nov 14, 2021 | Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE | ||
| CVE-2021-21263 | — | >= 8.0.0, < 8.22.1 | 8.22.1 | Jan 19, 2021 | Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non- | ||
| CVE-2020-24941 | — | < 6.18.35 | 6.18.35 | Sep 4, 2020 | An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $guarded property is mishandled in some situations involving requests with JSON column nesting expressions. | ||
| CVE-2018-15133 | — | KEV | <= 5.5.40 | — | Aug 9, 2018 | In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadget | |
| CVE-2017-14775 | Med | 5.9 | < 5.5.10 | 5.5.10 | Sep 28, 2017 | Laravel before 5.5.10 mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-time token comparison. | |
| CVE-2017-9303 | Med | 6.1 | >= 5.3.0, <= 5.3.31 | — | May 29, 2017 | Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a password-reset URL, which makes it easier for remote attackers to conduct phishing attacks by specifying an attacker-controlled host. |
- CVE-2024-13919Mar 10, 2025affected >= 11.9.0, < 11.36.0fixed 11.36.0
The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page.
- CVE-2024-13918Mar 10, 2025affected >= 11.9.0, < 11.36.0fixed 11.36.0
The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page.
- CVE-2025-27515Mar 5, 2025affected >= 12.0.0, < 12.1.1fixed 12.1.1
Laravel is a web application framework. When using wildcard validation to validate a given file or image field (`files.*`), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.
- CVE-2024-52301Nov 12, 2024affected < 6.20.45fixed 6.20.45
Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45
- CVE-2020-19316Dec 20, 2021affected < 5.8.17fixed 5.8.17
OS Command injection vulnerability in function link in Filesystem.php in Laravel Framework before 5.8.17.
- CVE-2021-43808Dec 7, 2021affected < 6.20.42fixed 6.20.42
Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user taken to another location in their browser d
- CVE-2021-43617Nov 14, 2021affected <= 8.70.2
Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE
- CVE-2021-21263Jan 19, 2021affected >= 8.0.0, < 8.22.1fixed 8.22.1
Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-
- CVE-2020-24941Sep 4, 2020affected < 6.18.35fixed 6.18.35
An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $guarded property is mishandled in some situations involving requests with JSON column nesting expressions.
- affected <= 5.5.40
In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadget
- affected < 5.5.10fixed 5.5.10
Laravel before 5.5.10 mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-time token comparison.
- affected >= 5.3.0, <= 5.3.31
Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a password-reset URL, which makes it easier for remote attackers to conduct phishing attacks by specifying an attacker-controlled host.