Packagist (Composer) package
livewire/livewire
pkg:composer/livewire/livewire
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-54068 | — | KEV | >= 3.0.0-beta.1, < 3.6.4 | 3.6.4 | Jul 17, 2025 | Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vu | |
| CVE-2024-47823 | — | >= 3.0.0-beta.1, < 3.5.2 | 3.5.2 | Oct 8, 2024 | Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the | ||
| CVE-2024-21504 | — | >= 3.3.5, < 3.4.9 | 3.4.9 | Mar 19, 2024 | Versions of the package livewire/livewire from 3.3.5 and before 3.4.9 are vulnerable to Cross-site Scripting (XSS) when a page uses [Url] for a property. An attacker can inject HTML code in the context of the user's browser session by crafting a malicious link and convincing the | ||
| CVE-2024-22859 | — | >= 3.0.0, < 3.0.4 | 3.0.4 | Feb 1, 2024 | Cross-Site Request Forgery (CSRF) vulnerability in livewire before v3.0.4, allows remote attackers to execute arbitrary code getCsrfToken function. NOTE: the vendor disputes this because the 5d88731 commit fixes a usability problem (HTTP 419 status codes for legitimate client act |
- affected >= 3.0.0-beta.1, < 3.6.4fixed 3.6.4
Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vu
- CVE-2024-47823Oct 8, 2024affected >= 3.0.0-beta.1, < 3.5.2fixed 3.5.2
Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the
- CVE-2024-21504Mar 19, 2024affected >= 3.3.5, < 3.4.9fixed 3.4.9
Versions of the package livewire/livewire from 3.3.5 and before 3.4.9 are vulnerable to Cross-site Scripting (XSS) when a page uses [Url] for a property. An attacker can inject HTML code in the context of the user's browser session by crafting a malicious link and convincing the
- CVE-2024-22859Feb 1, 2024affected >= 3.0.0, < 3.0.4fixed 3.0.4
Cross-Site Request Forgery (CSRF) vulnerability in livewire before v3.0.4, allows remote attackers to execute arbitrary code getCsrfToken function. NOTE: the vendor disputes this because the 5d88731 commit fixes a usability problem (HTTP 419 status codes for legitimate client act