Laravel Laravel

stack.watch can notify you when security vulnerabilities are reported in any Laravel product. You can add multiple products that you use with Laravel to create your own personal software stack watcher.

Products by Laravel Sorted by Most Security Vulnerabilities since 2018

Laravel3 vulnerabilities
PHP Web Application Development Framework

Laravel Framework2 vulnerabilities

@laravelphp Tweets

RT @jbrooksuk: If you provisioned a server with Forge and didn't select a database server at the time, you can now install one afterwards!…
Tue Sep 29 14:32:33 +0000 2020

RT @jbrooksuk: Forge now provides better error messages when it's unable to connect via the root user. This access is needed to manage diff…
Tue Sep 29 14:32:22 +0000 2020

�� https://t.co/2NLj2vEVRt
Mon Sep 28 21:05:24 +0000 2020

RT @reinink: �� I'm thrilled to announce that I'll be working with the awesome team at @laracasts to launch a *completely free* video series…
Mon Sep 28 18:27:29 +0000 2020

RT @denicmarko: Backend Frameworks with the most stars on GitHub: 1. Laravel - 61.6K⭐️ 2. Django - 52.1K⭐️ 3. Flask - 52.1K⭐️ 4. Spring Bo…
Sat Sep 26 18:06:07 +0000 2020

By the Year

In 2020 there have been 2 vulnerabilities in Laravel with an average score of 7.5 out of ten. Last year Laravel had 2 security vulnerabilities published. At the current rates, it appears that the number of vulerabilities last year and this year may equal out. Last year, the average CVE base score was greater by 1.80

Year Vulnerabilities Average Score
2020 2 7.50
2019 2 9.30
2018 1 8.10

It may take a day or so for new Laravel vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest Laravel Security Vulnerabilities

An issue was discovered in Laravel before 6.18.34 and 7.x before 7.23.2

CVE-2020-24940 7.5 - High - September 04, 2020

An issue was discovered in Laravel before 6.18.34 and 7.x before 7.23.2. Unvalidated values are saved to the database in some situations in which table names are stripped during a mass assignment.

CVE-2020-24940 is exploitable with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

Improper Input Validation

An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0

CVE-2020-24941 7.5 - High - September 04, 2020

An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $guarded property is mishandled in some situations involving requests with JSON column nesting expressions.

CVE-2020-24941 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

Improper Input Validation

Laravel 5.4.15 is vulnerable to Error based SQL injection in save.php

CVE-2018-6330 8.8 - High - March 28, 2019

Laravel 5.4.15 is vulnerable to Error based SQL injection in save.php via dhx_user and dhx_version parameters.

CVE-2018-6330 is exploitable with network access, and requires small amount of user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The Illuminate component of Laravel Framework 5.7.x has a deserialization vulnerability

CVE-2019-9081 9.8 - Critical - February 24, 2019

The Illuminate component of Laravel Framework 5.7.x has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the PendingCommand class in PendingCommand.php.

CVE-2019-9081 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulneraility has a high impact to the confidentiality, integrity and availability of this component.

Marshaling, Unmarshaling

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29

CVE-2018-15133 8.1 - High - August 09, 2018

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.

CVE-2018-15133 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 2.2 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Marshaling, Unmarshaling

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8