Laravel

Known Exploited Laravel Vulnerabilities

The following Laravel vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Of the known exploited vulnerabilities above, 2 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 2 vulnerabilities in Laravel with an average score of 9.1 out of ten. Last year, in 2025 Laravel had 3 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Laravel in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 3.00.

Recent Laravel Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-23524	Jan 21, 2026	Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHPs unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication, but only affects Laravel Reverb when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). This issue has been fixed in version 1.7.0. As a workaround, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback, and/or set REVERB_SCALING_ENABLED=false to bypass the vulnerable logic entirely (if the environment uses only one Reverb node).
CVE-2021-47756	Jan 15, 2026	Laravel Valet versions 1.1.4 to 2.0.3 contain a local privilege escalation vulnerability Laravel Valet versions 1.1.4 to 2.0.3 contain a local privilege escalation vulnerability that allows users to modify the valet command with root privileges. Attackers can edit the symlinked valet command to execute arbitrary code with root permissions without additional authentication.	Laravel
CVE-2024-13918	Mar 10, 2025	Laravel 11.9.0-11.35.1 Reflected XSS via Debug-Mode Error Page The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page.	Framework Laravel
CVE-2024-13919	Mar 10, 2025	Laravel 11.9.0-11.35.1 XSS via route params in debug error page The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page.	Framework Laravel
CVE-2025-27515	Mar 05, 2025	Laravel wildcard validation bypass files.* before v11.44.1/v12.1.1 Laravel is a web application framework. When using wildcard validation to validate a given file or image field (`files.*`), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.	Laravel
CVE-2024-52301	Nov 12, 2024	Laravel Framework Environment Manipulation Vulnerability via Query String Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.	Laravel
CVE-2024-47823	Oct 08, 2024	Livewire RCE via Unvalidated File Extension (before 2.12.7/3.5.2) Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a .php file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute .php files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability.	Livewire
CVE-2024-40075	Jul 22, 2024	Laravel v11.x XXE Vulnerability via XML External Entity Laravel v11.x was discovered to contain an XML External Entity (XXE) vulnerability.	Laravel
CVE-2024-22859	Feb 01, 2024	Livewire <3.0.4 CSRF Remote Code Exec via getCsrfToken Cross-Site Request Forgery (CSRF) vulnerability in livewire before v3.0.4, allows remote attackers to execute arbitrary code getCsrfToken function. NOTE: the vendor disputes this because the 5d88731 commit fixes a usability problem (HTTP 419 status codes for legitimate client activity), not a security problem.	Livewire
CVE-2022-40482	Apr 25, 2023	Laravel 89.x (before 9.32) User Enumeration via HTTP/2 Timing Attack The authentication method in Laravel 8.x through 9.x before 9.32.0 was discovered to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing. This is caused by the early return inside the hasValidCredentials method in the Illuminate\Auth\SessionGuard class when a user is found to not exist.	Framework Laravel