laravel/framework
Packagist9 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting laravel/frameworkpage 1 of 1
- CVE-2017-14775MEDIUMCVSS 5.9EG 5.9✓ Fixed in 5.5.102017-09-28
vulnerable: 5.0.30 ... v5.5.9 (281 versions)
Laravel before 5.5.10 mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-time token comparison.
- CVE-2017-9303MEDIUMCVSS 6.1EG 6.1✓ Fixed in 5.4.222017-05-29
vulnerable: v5.4.0 ... v5.4.9 (22 versions)
Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a password-reset URL, which makes it easier for remote attackers to conduct phishing attacks by specifying an attacker-controlled host.
- CVE-2018-15133HIGHCVSS 8.1EG 9.0⚠ KEV✓ Fixed in 5.6.302018-08-09
vulnerable: v5.6.0 ... v5.6.9 (30 versions)
In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Enc…
- CVE-2020-19316HIGHCVSS 8.8EG 8.8✓ Fixed in 5.8.172021-12-20
vulnerable: 5.0.30 ... v5.8.9 (410 versions)
OS Command injection vulnerability in function link in Filesystem.php in Laravel Framework before 5.8.17.
- CVE-2020-24941HIGHCVSS 7.5EG 7.5✓ Fixed in 7.24.02020-09-04
vulnerable: v7.0.0 ... v7.9.2 (59 versions)
An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $guarded property is mishandled in some situations involving requests with JSON column nesting expressions.
- CVE-2021-21263HIGHCVSS 7.2EG 7.2✓ Fixed in 7.30.22021-01-19
vulnerable: v7.0.0 ... v7.9.2 (75 versions)
Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is craf…
- CVE-2021-43808MEDIUMCVSS 5.3EG 5.3✓ Fixed in 8.75.02021-12-08
vulnerable: v8.0.0 ... v8.9.0 (112 versions)
Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user tak…
- CVE-2024-52301HIGHCVSS 7.5EG 7.5✓ Fixed in 11.31.02024-11-12
vulnerable: v11.0.0 ... v11.9.2 (54 versions)
Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the re…
- CVE-2025-27515CRITICALCVSS 9.8EG 9.8✓ Fixed in 12.1.12025-03-05
vulnerable: v12.0.0, v12.0.1, v12.1.0
Laravel is a web application framework. When using wildcard validation to validate a given file or image field (`files.*`), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.4…
Check whether laravel/framework is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for laravel/framework CVEs against the assets you own.
Start Free Scan →