Laravel
Products
4- 12 CVEs
- 7 CVEs
- 2 CVEs
- 1 CVE
Recent CVEs
19| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-16894 | Hig | 0.59 | 7.5 | 0.87 | Nov 20, 2017 | In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a direct request for the /.env URI. NOTE: this CVE is only about Laravel framework's writeNewEnvironmentFileWith function in… | ||
| CVE-2026-39976 | Hig | 0.39 | 7.1 | 0.00 | Apr 9, 2026 | Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard… | ||
| CVE-2017-14775 | Med | 0.38 | 5.9 | 0.01 | Sep 28, 2017 | Laravel before 5.5.10 mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-time token comparison. | ||
| CVE-2024-50347 | Med | 0.34 | — | 0.00 | Oct 31, 2024 | Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. Prior to 1.4.0, there is an issue where verification signatures for requests sent to Reverb's Pusher-compatible API were not being verified. This API is used in scenarios such as… | ||
| CVE-2017-9303 | Med | 0.33 | 6.1 | 0.01 | May 29, 2017 | Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a password-reset URL, which makes it easier for remote attackers to conduct phishing attacks by specifying an attacker-controlled host. | ||
| CVE-2026-7108 | Med | 0.28 | 4.3 | 0.00 | Apr 27, 2026 | A security vulnerability has been detected in code-projects Invoice System in Laravel 1.0. This affects an unknown function. Such manipulation leads to cross-site request forgery. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | ||
| CVE-2024-40075 | Med | 0.28 | 4.3 | 0.01 | Jul 22, 2024 | Laravel v11.x was discovered to contain an XML External Entity (XXE) vulnerability. | ||
| CVE-2024-52301 | 0.05 | — | 0.38 | Nov 12, 2024 | Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in… | |||
| CVE-2024-29291 | 0.03 | — | 0.01 | Apr 16, 2024 | An issue in Laravel Framework 8 through 11 might allow a remote attacker to discover database credentials in storage/logs/laravel.log. NOTE: this is disputed by multiple third parties because the owner of a Laravel Framework installation can choose to have debugging logs, but… | |||
| CVE-2026-23524 | 0.00 | — | 0.01 | Jan 21, 2026 | Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves… | |||
| CVE-2024-13919 | 0.00 | — | 0.01 | Mar 10, 2025 | The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page. | |||
| CVE-2024-13918 | 0.00 | — | 0.01 | Mar 10, 2025 | The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page. | |||
| CVE-2025-27515 | 0.00 | — | 0.01 | Mar 5, 2025 | Laravel is a web application framework. When using wildcard validation to validate a given file or image field (`files.*`), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1. | |||
| CVE-2024-51152 | 0.00 | — | 0.01 | Nov 8, 2024 | File Upload vulnerability in Laravel CMS v.1.4.7 and before allows a remote attacker to execute arbitrary code via the shell.php a component. | |||
| CVE-2022-40482 | 0.00 | — | 0.01 | Apr 25, 2023 | The authentication method in Laravel 8.x through 9.x before 9.32.0 was discovered to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing. This is caused by the early return inside the hasValidCredentials method in the… | |||
| CVE-2021-28254 | 0.00 | — | 0.01 | Apr 18, 2023 | A deserialization vulnerability in the destruct() function of Laravel v8.5.9 allows attackers to execute arbitrary commands. | |||
| CVE-2021-43808 | 0.00 | — | 0.01 | Dec 7, 2021 | Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user taken to another location in their browser… | |||
| CVE-2021-21263 | 0.00 | — | 0.02 | Jan 19, 2021 | Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a… | |||
| CVE-2018-6330 | 0.00 | — | 0.02 | Mar 28, 2019 | Laravel 5.4.15 is vulnerable to Error based SQL injection in save.php via dhx_user and dhx_version parameters. |
- risk 0.59cvss 7.5epss 0.87
In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a direct request for the /.env URI. NOTE: this CVE is only about Laravel framework's writeNewEnvironmentFileWith function in…
- risk 0.39cvss 7.1epss 0.00
Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard…
- risk 0.38cvss 5.9epss 0.01
Laravel before 5.5.10 mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-time token comparison.
- risk 0.34cvss —epss 0.00
Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. Prior to 1.4.0, there is an issue where verification signatures for requests sent to Reverb's Pusher-compatible API were not being verified. This API is used in scenarios such as…
- risk 0.33cvss 6.1epss 0.01
Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a password-reset URL, which makes it easier for remote attackers to conduct phishing attacks by specifying an attacker-controlled host.
- risk 0.28cvss 4.3epss 0.00
A security vulnerability has been detected in code-projects Invoice System in Laravel 1.0. This affects an unknown function. Such manipulation leads to cross-site request forgery. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
- risk 0.28cvss 4.3epss 0.01
Laravel v11.x was discovered to contain an XML External Entity (XXE) vulnerability.
- CVE-2024-52301Nov 12, 2024risk 0.05cvss —epss 0.38
Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in…
- CVE-2024-29291Apr 16, 2024risk 0.03cvss —epss 0.01
An issue in Laravel Framework 8 through 11 might allow a remote attacker to discover database credentials in storage/logs/laravel.log. NOTE: this is disputed by multiple third parties because the owner of a Laravel Framework installation can choose to have debugging logs, but…
- CVE-2026-23524Jan 21, 2026risk 0.00cvss —epss 0.01
Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves…
- CVE-2024-13919Mar 10, 2025risk 0.00cvss —epss 0.01
The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page.
- CVE-2024-13918Mar 10, 2025risk 0.00cvss —epss 0.01
The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page.
- CVE-2025-27515Mar 5, 2025risk 0.00cvss —epss 0.01
Laravel is a web application framework. When using wildcard validation to validate a given file or image field (`files.*`), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.
- CVE-2024-51152Nov 8, 2024risk 0.00cvss —epss 0.01
File Upload vulnerability in Laravel CMS v.1.4.7 and before allows a remote attacker to execute arbitrary code via the shell.php a component.
- CVE-2022-40482Apr 25, 2023risk 0.00cvss —epss 0.01
The authentication method in Laravel 8.x through 9.x before 9.32.0 was discovered to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing. This is caused by the early return inside the hasValidCredentials method in the…
- CVE-2021-28254Apr 18, 2023risk 0.00cvss —epss 0.01
A deserialization vulnerability in the destruct() function of Laravel v8.5.9 allows attackers to execute arbitrary commands.
- CVE-2021-43808Dec 7, 2021risk 0.00cvss —epss 0.01
Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user taken to another location in their browser…
- CVE-2021-21263Jan 19, 2021risk 0.00cvss —epss 0.02
Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a…
- CVE-2018-6330Mar 28, 2019risk 0.00cvss —epss 0.02
Laravel 5.4.15 is vulnerable to Error based SQL injection in save.php via dhx_user and dhx_version parameters.