VYPR
Vendor

Laravel

Products
4
CVEs
19
Across products
22
Status
Private

Products

4

Recent CVEs

19
  • CVE-2017-16894HigNov 20, 2017
    risk 0.59cvss 7.5epss 0.87

    In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a direct request for the /.env URI. NOTE: this CVE is only about Laravel framework's writeNewEnvironmentFileWith function in…

  • CVE-2026-39976HigApr 9, 2026
    risk 0.39cvss 7.1epss 0.00

    Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard…

  • CVE-2017-14775MedSep 28, 2017
    risk 0.38cvss 5.9epss 0.01

    Laravel before 5.5.10 mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-time token comparison.

  • CVE-2024-50347MedOct 31, 2024
    risk 0.34cvss epss 0.00

    Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. Prior to 1.4.0, there is an issue where verification signatures for requests sent to Reverb's Pusher-compatible API were not being verified. This API is used in scenarios such as…

  • CVE-2017-9303MedMay 29, 2017
    risk 0.33cvss 6.1epss 0.01

    Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a password-reset URL, which makes it easier for remote attackers to conduct phishing attacks by specifying an attacker-controlled host.

  • CVE-2026-7108MedApr 27, 2026
    risk 0.28cvss 4.3epss 0.00

    A security vulnerability has been detected in code-projects Invoice System in Laravel 1.0. This affects an unknown function. Such manipulation leads to cross-site request forgery. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.

  • CVE-2024-40075MedJul 22, 2024
    risk 0.28cvss 4.3epss 0.01

    Laravel v11.x was discovered to contain an XML External Entity (XXE) vulnerability.

  • CVE-2024-52301Nov 12, 2024
    risk 0.05cvss epss 0.38

    Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in…

  • CVE-2024-29291Apr 16, 2024
    risk 0.03cvss epss 0.01

    An issue in Laravel Framework 8 through 11 might allow a remote attacker to discover database credentials in storage/logs/laravel.log. NOTE: this is disputed by multiple third parties because the owner of a Laravel Framework installation can choose to have debugging logs, but…

  • CVE-2026-23524Jan 21, 2026
    risk 0.00cvss epss 0.01

    Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves…

  • CVE-2024-13919Mar 10, 2025
    risk 0.00cvss epss 0.01

    The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page.

  • CVE-2024-13918Mar 10, 2025
    risk 0.00cvss epss 0.01

    The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page.

  • CVE-2025-27515Mar 5, 2025
    risk 0.00cvss epss 0.01

    Laravel is a web application framework. When using wildcard validation to validate a given file or image field (`files.*`), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.

  • CVE-2024-51152Nov 8, 2024
    risk 0.00cvss epss 0.01

    File Upload vulnerability in Laravel CMS v.1.4.7 and before allows a remote attacker to execute arbitrary code via the shell.php a component.

  • CVE-2022-40482Apr 25, 2023
    risk 0.00cvss epss 0.01

    The authentication method in Laravel 8.x through 9.x before 9.32.0 was discovered to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing. This is caused by the early return inside the hasValidCredentials method in the…

  • CVE-2021-28254Apr 18, 2023
    risk 0.00cvss epss 0.01

    A deserialization vulnerability in the destruct() function of Laravel v8.5.9 allows attackers to execute arbitrary commands.

  • CVE-2021-43808Dec 7, 2021
    risk 0.00cvss epss 0.01

    Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user taken to another location in their browser…

  • CVE-2021-21263Jan 19, 2021
    risk 0.00cvss epss 0.02

    Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a…

  • CVE-2018-6330Mar 28, 2019
    risk 0.00cvss epss 0.02

    Laravel 5.4.15 is vulnerable to Error based SQL injection in save.php via dhx_user and dhx_version parameters.