VYPR

Laravel

by Laravel

Source repositories

CVEs (10)

  • CVE-2017-16894HigNov 20, 2017
    risk 0.59cvss 7.5epss 0.87

    In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a direct request for the /.env URI. NOTE: this CVE is only about Laravel framework's writeNewEnvironmentFileWith function in…

  • CVE-2017-14775MedSep 28, 2017
    risk 0.38cvss 5.9epss 0.01

    Laravel before 5.5.10 mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-time token comparison.

  • CVE-2017-9303MedMay 29, 2017
    risk 0.33cvss 6.1epss 0.01

    Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a password-reset URL, which makes it easier for remote attackers to conduct phishing attacks by specifying an attacker-controlled host.

  • CVE-2026-7108MedApr 27, 2026
    risk 0.28cvss 4.3epss 0.00

    A security vulnerability has been detected in code-projects Invoice System in Laravel 1.0. This affects an unknown function. Such manipulation leads to cross-site request forgery. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.

  • CVE-2024-40075MedJul 22, 2024
    risk 0.28cvss 4.3epss 0.01

    Laravel v11.x was discovered to contain an XML External Entity (XXE) vulnerability.

  • CVE-2024-29291Apr 16, 2024
    risk 0.03cvss epss 0.01

    An issue in Laravel Framework 8 through 11 might allow a remote attacker to discover database credentials in storage/logs/laravel.log. NOTE: this is disputed by multiple third parties because the owner of a Laravel Framework installation can choose to have debugging logs, but…

  • CVE-2024-51152Nov 8, 2024
    risk 0.00cvss epss 0.01

    File Upload vulnerability in Laravel CMS v.1.4.7 and before allows a remote attacker to execute arbitrary code via the shell.php a component.

  • CVE-2022-40482Apr 25, 2023
    risk 0.00cvss epss 0.01

    The authentication method in Laravel 8.x through 9.x before 9.32.0 was discovered to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing. This is caused by the early return inside the hasValidCredentials method in the…

  • CVE-2021-28254Apr 18, 2023
    risk 0.00cvss epss 0.01

    A deserialization vulnerability in the destruct() function of Laravel v8.5.9 allows attackers to execute arbitrary commands.

  • CVE-2018-6330Mar 28, 2019
    risk 0.00cvss epss 0.02

    Laravel 5.4.15 is vulnerable to Error based SQL injection in save.php via dhx_user and dhx_version parameters.