threat
engine
.sh
Back
·
··:··
Home
/
Product
/
laravel
Product
laravel
26 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-23524
< 1.7.0
Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb
9.8
CRITICAL
CVE-2025-54068
>= 3.0.0 and < 3.6.4
Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated
9.8
CRITICAL
CVE-2024-13919
>= 11.9.0 and < 11.36.0
The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper enc
8.0
HIGH
CVE-2024-13918
>= 11.9.0 and < 11.36.0
The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper enc
8.0
HIGH
CVE-2025-27515
< 11.44.1
Laravel is a web application framework. When using wildcard validation to validate a given file or image field (
files.*
), a user
9.8
CRITICAL
CVE-2024-55661
< 1.3.1
Laravel Pulse is a real-time application performance monitoring tool and dashboard for Laravel applications. A vulnerability has b
8.8
HIGH
CVE-2024-52301
< 6.20.45
Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a spe
7.5
HIGH
CVE-2024-47823
< 2.12.7
Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire pri
9.8
CRITICAL
CVE-2024-21504
>= 3.3.5 and <= 3.4.9
Versions of the package livewire/livewire from 3.3.5 and before 3.4.9 are vulnerable to Cross-site Scripting (XSS) when a page use
6.1
MEDIUM
CVE-2024-22859
< 3.0.4
Cross-Site Request Forgery (CSRF) vulnerability in livewire before v3.0.4, allows remote attackers to execute arbitrary code getCs
8.8
HIGH
CVE-2022-40482
>= 8.0.0 and < 8.83.24
The authentication method in Laravel 8.x through 9.x before 9.32.0 was discovered to be vulnerable to user enumeration via timeles
5.3
MEDIUM
CVE-2021-28254
all versions
A deserialization vulnerability in the destruct() function of Laravel v8.5.9 allows attackers to execute arbitrary commands.
9.8
CRITICAL
CVE-2022-2886
>= 5.1.0 and <= 5.1.46
A vulnerability, which was classified as critical, was found in Laravel 5.1. Affected is an unknown function. The manipulation lea
5.0
MEDIUM
CVE-2022-2870
>= 5.1.0 and <= 5.1.46
A vulnerability was found in laravel 5.1 and classified as problematic. This issue affects some unknown processing. The manipulati
4.1
MEDIUM
CVE-2022-25838
< 1.11.1
Laravel Fortify before 1.11.1 allows reuse within a short time window, thus calling into question the "OT" part of the "TOTP" conc
8.1
HIGH
CVE-2020-19316
< 5.8.17
OS Command injection vulnerability in function link in Filesystem.php in Laravel Framework before 5.8.17.
8.8
HIGH
CVE-2021-43808
< 6.20.42
Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site script
5.3
MEDIUM
CVE-2021-43617
<= 8.70.2
Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Co
9.8
CRITICAL
CVE-2021-21263
>= 6.0.0 and < 6.20.11
Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation
7.2
HIGH
CVE-2020-24941
< 6.18.35
An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $guarded property is mishandled in some situations in
7.5
HIGH
CVE-2020-24940
< 6.18.34
An issue was discovered in Laravel before 6.18.34 and 7.x before 7.23.2. Unvalidated values are saved to the database in some situ
7.5
HIGH
CVE-2018-6330
all versions
Laravel 5.4.15 is vulnerable to Error based SQL injection in save.php via dhx_user and dhx_version parameters.
8.8
HIGH
CVE-2018-15133
<= 5.5.40
In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call
8.1
HIGH
CVE-2017-16894
<= 5.5.21
In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a
7.5
HIGH
CVE-2017-14775
<= 5.5.9
Laravel before 5.5.10 mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-ti
5.9
MEDIUM
CVE-2017-9303
all versions
Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a password-reset URL, which makes it easier for remote
6.1
MEDIUM
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin