Laravel Laravel PHP Web Application Development Framework

stack.watch can email you when security vulnerabilities are reported in Laravel. You can add multiple products that you use with Laravel to create your own personal software stack watcher.

@laravelphp Tweets

RT @ericlbarnes: Building a new server for the first time in a while and Forge has a ton of nice little updates and refinements �� https://t…
Fri Jan 22 20:18:51 +0000 2021

RT @taylorotwell: ✨ The next generation of Spark is coming soon. Check out the fresh landing page and get on the email list to be notified…
Fri Jan 22 20:12:17 +0000 2021

Forge: new sites now get a nice landing page instead of the default "phpinfo()" output. �� https://t.co/hgz7sCB6vB https://t.co/07orizAOaA
Fri Jan 15 14:18:57 +0000 2021

�� Security: Laravel 6.20.11, 7.30.2, 8.22.1 Released https://t.co/qJRraTVZFP
Wed Jan 13 15:15:34 +0000 2021

Forge: circle members can now create servers! A much anticipated feature shipped by @themsaid. ��️ https://t.co/59krKAM7Xy
Fri Jan 08 14:45:15 +0000 2021

By the Year

In 2021 there have been 0 vulnerabilities in Laravel . Last year Laravel had 2 security vulnerabilities published. Right now, Laravel is on track to have less security vulnerabilities in 2021 than it did last year.

Year Vulnerabilities Average Score
2021 0 0.00
2020 2 7.50
2019 0 0.00
2018 1 8.10

It may take a day or so for new Laravel vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest Laravel Security Vulnerabilities

An issue was discovered in Laravel before 6.18.34 and 7.x before 7.23.2

CVE-2020-24940 7.5 - High - September 04, 2020

An issue was discovered in Laravel before 6.18.34 and 7.x before 7.23.2. Unvalidated values are saved to the database in some situations in which table names are stripped during a mass assignment.

CVE-2020-24940 is exploitable with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

Improper Input Validation

An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0

CVE-2020-24941 7.5 - High - September 04, 2020

An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $guarded property is mishandled in some situations involving requests with JSON column nesting expressions.

CVE-2020-24941 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

Improper Input Validation

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29

CVE-2018-15133 8.1 - High - August 09, 2018

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.

CVE-2018-15133 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 2.2 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Marshaling, Unmarshaling