laravel/framework Security Advisories (25)
-
Laravel CRLF injection in default email rule
PKSA-mdq4-51ck-6kdq CVE-2026-48019
Affected version: >=9.0.0,<10.0.0|>=10.0.0,<11.0.0|>=11.0.0,<12.0.0|>=12.0.0,<12.60.0|>=13.0.0,<13.10.0
Reported by:
FriendsOfPHP/security-advisories -
[MEDIUM] Laravel has a File Validation Bypass
PKSA-8qx3-n5y5-vvnd CVE-2025-27515 GHSA-78fx-h6xr-vch4
Affected version: <10.48.29|>=11.0.0,<11.44.1|>=12.0.0,<12.1.1
Reported by:
GitHub -
[MEDIUM] Laravel Reflected XSS via Route Parameter in Debug-Mode Error Page
PKSA-q46n-4fdk-zjr4 CVE-2024-13919 GHSA-83wp-f5c3-hqqr
Affected version: >=11.9.0,<11.36.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Laravel Reflected XSS via Request Parameter in Debug-Mode Error Page
PKSA-qzrn-rnz3-85w1 CVE-2024-13918 GHSA-546h-56qp-8jmw
Affected version: >=11.9.0,<11.36.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Laravel environment manipulation via query string
PKSA-w7xr-vk7n-rstm CVE-2024-52301 GHSA-gv7v-rgg6-548h
Affected version: <6.20.45|>=7.0.0,<7.30.7|>=8.0.0,<8.83.28|>=9.0.0,<9.52.17|>=10.0.0,<10.48.23|>=11.0.0,<11.31.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Laravel Hijacked authentication cookies vulnerability
PKSA-6wgv-k7p1-h4fg GHSA-p62r-7637-3wwc
Affected version: >=4.0.0,<4.1.26
Reported by:
GitHub -
[MEDIUM] Laravel Risk of mass-assignment vulnerabilities
PKSA-11c9-dxsr-yqjb GHSA-rj3w-99gc-8j58
Affected version: >=4.0.0,<4.1.29
Reported by:
GitHub -
[CRITICAL] Laravel Framework Deserialization Vulnerability
PKSA-dpt9-7cmv-dk65 CVE-2019-9081 GHSA-pfg4-p438-p874
Affected version: >=5.7.0,<6.20.44
Reported by:
GitHub -
[HIGH] Laravel Framework RCE Vulnerability
PKSA-3qhw-gzjt-j63j CVE-2018-15133 GHSA-qvqm-h22r-4cp9
Affected version: >=5.6.0,<=5.6.29|<=5.5.40
Reported by:
GitHub -
[HIGH] OS Command Injection in Laravel Framework
PKSA-17kp-jm2n-vxzz CVE-2020-19316 GHSA-w2pm-r78h-4m7v
Affected version: <5.8.17
Reported by:
GitHub -
Reported by:
FriendsOfPHP/security-advisories -
[HIGH] Improper Input Validation in Laravel
PKSA-7ywf-hktb-jkn9 CVE-2020-24941 GHSA-w68r-5p45-5rqp
Affected version: >=7.0.0,<7.24.0|<6.18.35
Reported by:
GitHub -
[MEDIUM] SQL Server LIMIT / OFFSET SQL Injection
PKSA-ckwp-rt7t-c46m GHSA-7852-w36x-6mf6
Affected version: >=6.0.0,<6.20.26|>=7.0.0,<7.30.5|>=8.0.0,<8.40.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Unexpected bindings in QueryBuilder
PKSA-4npr-btr6-zhny GHSA-6jvx-8ch9-j2jr
Affected version: >=6.0.0,<6.20.14|>=7.0.0,<7.30.4|>=8.0.0,<8.24.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Possible cross-site scripting (XSS) vulnerability in the Blade templating engine
PKSA-njrm-6dtg-m2pc CVE-2021-43808 GHSA-66hf-2p6w-jqfw
Affected version: <6.20.42|>=7.0.0,<7.30.6|>=8.0.0,<8.75.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[CRITICAL] Guard bypass in Eloquent models
PKSA-vhvj-tvg4-96jj GHSA-qm5c-m76r-2hfr
Affected version: >=5.5.0,<=5.5.49|>=6.0.0,<6.18.34|>=7.0.0,<7.23.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] RCE vulnerability in "cookie" session driver
PKSA-nrj3-r2wg-yt8b GHSA-vr95-p7q6-8m9q
Affected version: >=4.1.0,<=4.1.99999|>=4.2.0,<=4.2.99999|>=5.0.0,<=5.0.99999|>=5.1.0,<=5.1.99999|>=5.2.0,<=5.2.99999|>=5.3.0,<=5.3.99999|>=5.4.0,<=5.4.99999|>=5.5.0,<=5.5.49|>=5.6.0,<=5.6.99999|>=5.7.0,<=5.7.99999|>=5.8.0,<=5.8.99999|>=6.0.0,<6.18.31|>=7.0.0,<7.22.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] XSS vulnerability in blade templating
PKSA-rvky-x3cg-y3qd GHSA-44pg-c29v-hp6r
Affected version: >=7.0.0,<7.1.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Unexpected bindings in QueryBuilder
PKSA-985r-hryy-555b CVE-2021-21263 GHSA-3p32-j457-pg5x
Affected version: >=6.0.0,<6.20.11|>=7.0.0,<7.30.2|>=8.0.0,<8.22.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Cookie serialization vulnerability
PKSA-mhj3-vthf-h41n GHSA-jwvj-pwww-3mj5
Affected version: >=4.0.0,<=4.0.11|>=4.1.0,<=4.1.31|>=4.2.0,<=4.2.22|>=5.0.0,<=5.0.35|>=5.1.0,<=5.1.46|>=5.2.0,<=5.2.45|>=5.3.0,<=5.3.31|>=5.4.0,<=5.4.36|>=5.5.0,<5.5.42|>=5.6.0,<5.6.30
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Exploit of encryption failure vulnerability
PKSA-cn77-7mny-v9zg GHSA-4mg9-vhxq-vm7j
Affected version: >=4.0.0,<=4.0.11|>=4.1.0,<=4.1.31|>=4.2.0,<=4.2.22|>=5.0.0,<=5.0.35|>=5.1.0,<=5.1.46|>=5.2.0,<=5.2.45|>=5.3.0,<=5.3.31|>=5.4.0,<=5.4.36|>=5.5.0,<5.5.40|>=5.6.0,<5.6.15
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Timing attack vector for remember me token
PKSA-xf4x-p5c1-z9xq CVE-2017-14775 GHSA-c2v7-j5gq-wcq4
Affected version: >=4.1.26,<=4.1.31|>=4.2.0,<=4.2.22|>=5.0.0,<=5.0.35|>=5.1.0,<=5.1.46|>=5.2.0,<=5.2.45|>=5.3.0,<=5.3.31|>=5.4.0,<=5.4.36|>=5.5.0,<5.5.10
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Password reset phishing vulnerability
PKSA-fwj1-r2kg-bmxd CVE-2017-9303 GHSA-rc8x-jrrc-frfv
Affected version: >=5.3.0,<=5.3.31|>=5.4.0,<5.4.22
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Risk of mass-assignment vulnerabilities
PKSA-4d28-pz9s-51zj GHSA-x7p5-p2c9-phvg
Affected version: >=4.0.0,<4.0.99|>=4.1.0,<4.1.29
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Hijacked authentication cookies vulnerability
PKSA-gf52-cc16-7thv GHSA-wq8p-mqvg-2p5h
Affected version: >=4.0.0,<4.0.99|>=4.1.0,<4.1.26
Reported by:
GitHub, FriendsOfPHP/security-advisories