Laravel Laravel

stack.watch can notify you when security vulnerabilities are reported in any Laravel product. You can add multiple products that you use with Laravel to create your own personal software stack watcher.

Products by Laravel Sorted by Most Security Vulnerabilities since 2018

Laravel3 vulnerabilities
PHP Web Application Development Framework

Laravel Framework2 vulnerabilities

@laravelphp Tweets

The Laravel "Royal" sticker pack is now available in the official Laravel store! https://t.co/3R4ko1NJ08 ��
Mon Nov 30 18:56:29 +0000 2020

Forge: database management improvements �� https://t.co/89AJEaQBME
Mon Nov 30 15:02:34 +0000 2020

RT @taylorotwell: Friendly reminder that Laravel Nova is 30% off day with coupon code BLACKFRIDAY2020. ��‍�� https://t.co/urfpR1cmrD
Fri Nov 27 14:11:47 +0000 2020

Vapor: today's stable PHP 8.0 release is now available as a Vapor runtime! Run your serverless Laravel applications… https://t.co/UgyUQh9kVt
Thu Nov 26 16:44:14 +0000 2020

RT @laracasts: PHP 8 is officially out today. �� We’re building up a variety of content to get you up to speed. First up is a free series o…
Thu Nov 26 16:30:54 +0000 2020

By the Year

In 2020 there have been 2 vulnerabilities in Laravel with an average score of 7.5 out of ten. Last year Laravel had 2 security vulnerabilities published. At the current rates, it appears that the number of vulerabilities last year and this year may equal out. Last year, the average CVE base score was greater by 1.80

Year Vulnerabilities Average Score
2020 2 7.50
2019 2 9.30
2018 1 8.10

It may take a day or so for new Laravel vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest Laravel Security Vulnerabilities

An issue was discovered in Laravel before 6.18.34 and 7.x before 7.23.2

CVE-2020-24940 7.5 - High - September 04, 2020

An issue was discovered in Laravel before 6.18.34 and 7.x before 7.23.2. Unvalidated values are saved to the database in some situations in which table names are stripped during a mass assignment.

CVE-2020-24940 is exploitable with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

Improper Input Validation

An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0

CVE-2020-24941 7.5 - High - September 04, 2020

An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $guarded property is mishandled in some situations involving requests with JSON column nesting expressions.

CVE-2020-24941 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

Improper Input Validation

Laravel 5.4.15 is vulnerable to Error based SQL injection in save.php

CVE-2018-6330 8.8 - High - March 28, 2019

Laravel 5.4.15 is vulnerable to Error based SQL injection in save.php via dhx_user and dhx_version parameters.

CVE-2018-6330 is exploitable with network access, and requires small amount of user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The Illuminate component of Laravel Framework 5.7.x has a deserialization vulnerability

CVE-2019-9081 9.8 - Critical - February 24, 2019

The Illuminate component of Laravel Framework 5.7.x has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the PendingCommand class in PendingCommand.php.

CVE-2019-9081 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulneraility has a high impact to the confidentiality, integrity and availability of this component.

Marshaling, Unmarshaling

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29

CVE-2018-15133 8.1 - High - August 09, 2018

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.

CVE-2018-15133 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 2.2 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Marshaling, Unmarshaling

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8