Laravel Livewire
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Laravel Livewire.
Known Exploited Laravel Livewire Vulnerabilities
The following Laravel Livewire vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Laravel Livewire Code Injection Vulnerability |
Laravel Livewire contain a code injection vulnerability that could allow unauthenticated attackers to achieve remote command execution in specific scenarios. CVE-2025-54068 Exploit Probability: 59.4% |
March 20, 2026 |
The vulnerability CVE-2025-54068: Laravel Livewire Code Injection Vulnerability is in the top 5% of the currently known exploitable vulnerabilities.
By the Year
In 2026 there have been 0 vulnerabilities in Laravel Livewire. Livewire did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 2 | 9.30 |
It may take a day or so for new Livewire vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Laravel Livewire Security Vulnerabilities
Livewire RCE via Unvalidated File Extension (before 2.12.7/3.5.2)
CVE-2024-47823
9.8 - Critical
- October 08, 2024
Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a .php file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute .php files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Unrestricted File Upload
Livewire <3.0.4 CSRF Remote Code Exec via getCsrfToken
CVE-2024-22859
8.8 - High
- February 01, 2024
Cross-Site Request Forgery (CSRF) vulnerability in livewire before v3.0.4, allows remote attackers to execute arbitrary code getCsrfToken function. NOTE: the vendor disputes this because the 5d88731 commit fixes a usability problem (HTTP 419 status codes for legitimate client activity), not a security problem.
Session Riding
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Laravel Livewire or by Laravel? Click the Watch button to subscribe.
