Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (laravel/framework-v8.83.25 version) |
Remediation Possible** |
| CVE-2021-43617 |
 Critical |
9.8 |
laravel/framework-v8.83.25 |
Direct |
php-illuminate-session - 6.20.14+dfsg-2+deb11u1;php-illuminate-broadcasting - 6.20.14+dfsg-2+deb11u1;php-illuminate-config - 6.20.14+dfsg-2+deb11u1;php-illuminate-cookie - 6.20.14+dfsg-2+deb11u1;php-laravel-framework - 6.20.14+dfsg-2+deb11u1;php-illuminate-database - 6.20.14+dfsg-2+deb11u1;php-illuminate-translation - 6.20.14+dfsg-2+deb11u1;php-illuminate-support - 6.20.14+dfsg-2+deb11u1;php-illuminate-encryption - 6.20.14+dfsg-2+deb11u1;php-illuminate-hashing - 6.20.14+dfsg-2+deb11u1;php-illuminate-auth - 6.20.14+dfsg-2+deb11u1;php-illuminate-http - 6.20.14+dfsg-2+deb11u1;php-illuminate-mail - 6.20.14+dfsg-2+deb11u1;php-illuminate-view - 6.20.14+dfsg-2+deb11u1;php-illuminate-pipeline - 6.20.14+dfsg-2+deb11u1;php-illuminate-filesystem - 6.20.14+dfsg-2+deb11u1;php-illuminate-validation - 6.20.14+dfsg-2+deb11u1;php-illuminate-container - 6.20.14+dfsg-2+deb11u1;php-illuminate-notifications - 6.20.14+dfsg-2+deb11u1;php-illuminate-cache - 6.20.14+dfsg-2+deb11u1;php-illuminate-contracts - 6.20.14+dfsg-2+deb11u1;php-illuminate-routing - 6.20.14+dfsg-2+deb11u1;php-illuminate-queue - 6.20.14+dfsg-2+deb11u1;php-illuminate-redis - 6.20.14+dfsg-2+deb11u1;php-illuminate-bus - 6.20.14+dfsg-2+deb11u1;php-illuminate-log - 6.20.14+dfsg-2+deb11u1;php-illuminate-console - 6.20.14+dfsg-2+deb11u1;php-illuminate-pagination - 6.20.14+dfsg-2+deb11u1;php-illuminate-events - 6.20.14+dfsg-2+deb11u1 |
❌ |
| CVE-2020-19316 |
 High |
8.8 |
laravel/framework-v8.83.25 |
Direct |
N/A |
❌ |
| CVE-2018-15133 |
High |
8.1 |
laravel/framework-v8.83.25 |
Direct |
laravel/framework - v5.6.30 |
❌ |
| CVE-2024-52301 |
High |
7.5 |
laravel/framework-v8.83.25 |
Direct |
N/A |
❌ |
| CVE-2025-64500 |
High |
7.3 |
symfony/http-foundation-v5.4.20 |
Transitive |
N/A* |
❌ |
| CVE-2025-22145 |
High |
7.3 |
nesbot/carbon-2.62.1 |
Transitive |
N/A* |
❌ |
| CVE-2021-21263 |
High |
7.2 |
laravel/framework-v8.83.25 |
Direct |
v6.20.11,v7.30.2,v8.22.1 |
❌ |
| CVE-2025-27515 |
 Medium |
6.5 |
laravel/framework-v8.83.25 |
Direct |
N/A |
❌ |
| CVE-2025-46734 |
Medium |
6.4 |
league/commonmark-2.3.5 |
Transitive |
N/A* |
❌ |
| CVE-2026-33347 |
Medium |
5.8 |
league/commonmark-2.3.5 |
Transitive |
N/A* |
❌ |
| WS-2021-0079 |
Medium |
5.4 |
laravel/framework-v8.83.25 |
Direct |
N/A |
❌ |
| CVE-2022-40482 |
Medium |
5.3 |
laravel/framework-v8.83.25 |
Direct |
N/A |
❌ |
| CVE-2021-43808 |
Medium |
5.3 |
laravel/framework-v8.83.25 |
Direct |
v6.20.42, v7.30.6, v8.75.0 |
❌ |
| CVE-2026-30838 |
Medium |
4.1 |
league/commonmark-2.3.5 |
Transitive |
N/A* |
❌ |
| CVE-2024-50345 |
 Low |
3.1 |
symfony/http-foundation-v5.4.20 |
Transitive |
N/A* |
❌ |
| CVE-2024-51736 |
Low |
0.0 |
symfony/process-v5.4.11 |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-43617
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
- ❌ laravel/framework-v8.83.25 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.
Publish Date: 2021-11-14
URL: CVE-2021-43617
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43617
Release Date: 2021-11-14
Fix Resolution: php-illuminate-session - 6.20.14+dfsg-2+deb11u1;php-illuminate-broadcasting - 6.20.14+dfsg-2+deb11u1;php-illuminate-config - 6.20.14+dfsg-2+deb11u1;php-illuminate-cookie - 6.20.14+dfsg-2+deb11u1;php-laravel-framework - 6.20.14+dfsg-2+deb11u1;php-illuminate-database - 6.20.14+dfsg-2+deb11u1;php-illuminate-translation - 6.20.14+dfsg-2+deb11u1;php-illuminate-support - 6.20.14+dfsg-2+deb11u1;php-illuminate-encryption - 6.20.14+dfsg-2+deb11u1;php-illuminate-hashing - 6.20.14+dfsg-2+deb11u1;php-illuminate-auth - 6.20.14+dfsg-2+deb11u1;php-illuminate-http - 6.20.14+dfsg-2+deb11u1;php-illuminate-mail - 6.20.14+dfsg-2+deb11u1;php-illuminate-view - 6.20.14+dfsg-2+deb11u1;php-illuminate-pipeline - 6.20.14+dfsg-2+deb11u1;php-illuminate-filesystem - 6.20.14+dfsg-2+deb11u1;php-illuminate-validation - 6.20.14+dfsg-2+deb11u1;php-illuminate-container - 6.20.14+dfsg-2+deb11u1;php-illuminate-notifications - 6.20.14+dfsg-2+deb11u1;php-illuminate-cache - 6.20.14+dfsg-2+deb11u1;php-illuminate-contracts - 6.20.14+dfsg-2+deb11u1;php-illuminate-routing - 6.20.14+dfsg-2+deb11u1;php-illuminate-queue - 6.20.14+dfsg-2+deb11u1;php-illuminate-redis - 6.20.14+dfsg-2+deb11u1;php-illuminate-bus - 6.20.14+dfsg-2+deb11u1;php-illuminate-log - 6.20.14+dfsg-2+deb11u1;php-illuminate-console - 6.20.14+dfsg-2+deb11u1;php-illuminate-pagination - 6.20.14+dfsg-2+deb11u1;php-illuminate-events - 6.20.14+dfsg-2+deb11u1
Step up your Open Source Security Game with Mend here
CVE-2020-19316
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
- ❌ laravel/framework-v8.83.25 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
OS Command injection vulnerability in function link in Filesystem.php in Laravel Framework before 5.8.17.
Publish Date: 2021-12-20
URL: CVE-2020-19316
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend here
CVE-2018-15133
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
- ❌ laravel/framework-v8.83.25 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.
Publish Date: 2018-08-09
URL: CVE-2018-15133
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-qvqm-h22r-4cp9
Release Date: 2018-08-09
Fix Resolution: laravel/framework - v5.6.30
Step up your Open Source Security Game with Mend here
CVE-2024-52301
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
- ❌ laravel/framework-v8.83.25 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.
Publish Date: 2024-11-12
URL: CVE-2024-52301
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend here
CVE-2025-64500
Vulnerable Library - symfony/http-foundation-v5.4.20
Defines an object-oriented layer for the HTTP specification
Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/d0435363362a47c14e9cf50663cb8ffbf491875a
Dependency Hierarchy:
- laravel/framework-v8.83.25 (Root Library)
- ❌ symfony/http-foundation-v5.4.20 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the "Request" class improperly interprets some "PATH_INFO" in a way that leads to representing some URLs with a path that doesn't start with a "/". This can allow bypassing some access control rules that are built with this "/"-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the "Request" class now ensures that URL paths always start with a "/".
Publish Date: 2025-11-12
URL: CVE-2025-64500
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-3rg7-wf37-54rm
Release Date: 2025-11-12
Fix Resolution: symfony/symfony - v7.3.7,symfony/symfony - v5.4.50,symfony/http-foundation - v6.4.29,symfony/http-foundation - v5.4.50,symfony/http-foundation - v7.3.7,symfony/symfony - v6.4.29
Step up your Open Source Security Game with Mend here
CVE-2025-22145
Vulnerable Library - nesbot/carbon-2.62.1
An API extension for DateTime that supports 281 different languages.
Library home page: https://api.github.com/repos/CarbonPHP/carbon/zipball/01bc4cdefe98ef58d1f9cb31bdbbddddf2a88f7a
Dependency Hierarchy:
- laravel/framework-v8.83.25 (Root Library)
- ❌ nesbot/carbon-2.62.1 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6.
Publish Date: 2025-01-08
URL: CVE-2025-22145
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-j3f9-p6hm-5w6q
Release Date: 2025-01-08
Fix Resolution: nesbot/carbon - 2.72.6,nesbot/carbon - 3.8.4
Step up your Open Source Security Game with Mend here
CVE-2021-21263
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
- ❌ laravel/framework-v8.83.25 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.
Publish Date: 2021-01-19
URL: CVE-2021-21263
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-3p32-j457-pg5x
Release Date: 2021-01-19
Fix Resolution: v6.20.11,v7.30.2,v8.22.1
Step up your Open Source Security Game with Mend here
CVE-2025-27515
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
- ❌ laravel/framework-v8.83.25 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Laravel is a web application framework. When using wildcard validation to validate a given file or image field ("files.*"), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.
Publish Date: 2025-03-05
URL: CVE-2025-27515
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend here
CVE-2025-46734
Vulnerable Library - league/commonmark-2.3.5
Highly-extensible PHP Markdown parser which fully supports the CommonMark spec and GitHub-Flavored Markdown (GFM)
Library home page: https://api.github.com/repos/thephpleague/commonmark/zipball/84d74485fdb7074f4f9dd6f02ab957b1de513257
Dependency Hierarchy:
- laravel/framework-v8.83.25 (Root Library)
- ❌ league/commonmark-2.3.5 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
league/commonmark is a PHP Markdown parser. A cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configuration options such as "html_input: 'strip'" and "allow_unsafe_links: false" to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces. Version 2.7.0 contains three changes to prevent this XSS attack vector: All attributes starting with "on" are considered unsafe and blocked by default; support for an explicit allowlist of allowed HTML attributes; and manually-added "href" and "src" attributes now respect the existing "allow_unsafe_links" configuration option. If upgrading is not feasible, please consider disabling the "AttributesExtension" for untrusted users and/or filtering the rendered HTML through a library like HTMLPurifier.
Publish Date: 2025-05-05
URL: CVE-2025-46734
CVSS 3 Score Details (6.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-3527-qv2q-pfvx
Release Date: 2025-05-05
Fix Resolution: league/commonmark - 2.7.0
Step up your Open Source Security Game with Mend here
CVE-2026-33347
Vulnerable Library - league/commonmark-2.3.5
Highly-extensible PHP Markdown parser which fully supports the CommonMark spec and GitHub-Flavored Markdown (GFM)
Library home page: https://api.github.com/repos/thephpleague/commonmark/zipball/84d74485fdb7074f4f9dd6f02ab957b1de513257
Dependency Hierarchy:
- laravel/framework-v8.83.25 (Root Library)
- ❌ league/commonmark-2.3.5 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2.
Publish Date: 2026-03-24
URL: CVE-2026-33347
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-hh8v-hgvp-g3f5
Release Date: 2026-03-20
Fix Resolution: league/commonmark - 2.8.2
Step up your Open Source Security Game with Mend here
WS-2021-0079
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
- ❌ laravel/framework-v8.83.25 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Impact Those using SQL Server with Laravel and allowing user input to be passed directly to the "limit" and "offset" functions are vulnerable to SQL injection. Other database drivers such as MySQL and Postgres are not affected by this vulnerability. Patches This problem has been patched on Laravel versions 6.20.26, 7.30.5, and 8.40.0. Workarounds You may workaround this vulnerability by ensuring that only integers are passed to the "limit" and "offset" functions, as well as the "skip" and "take" functions.
Publish Date: 2026-05-14
URL: WS-2021-0079
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend here
CVE-2022-40482
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
- ❌ laravel/framework-v8.83.25 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
The authentication method in Laravel 8.x through 9.x before 9.32.0 was discovered to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing. This is caused by the early return inside the hasValidCredentials method in the Illuminate\Auth\SessionGuard class when a user is found to not exist.
Publish Date: 2023-04-25
URL: CVE-2022-40482
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend here
CVE-2021-43808
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
- ❌ laravel/framework-v8.83.25 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user taken to another location in their browser due to XSS. This is due to the user being able to guess the parent placeholder SHA-1 hash by trying common names of sections. If the parent template contains an exploitable HTML structure an XSS vulnerability can be exposed. This vulnerability has been patched in versions 8.75.0, 7.30.6, and 6.20.42 by determining the parent placeholder at runtime and using a random hash that is unique to each request.
Publish Date: 2021-12-07
URL: CVE-2021-43808
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-66hf-2p6w-jqfw
Release Date: 2021-12-07
Fix Resolution: v6.20.42, v7.30.6, v8.75.0
Step up your Open Source Security Game with Mend here
CVE-2026-30838
Vulnerable Library - league/commonmark-2.3.5
Highly-extensible PHP Markdown parser which fully supports the CommonMark spec and GitHub-Flavored Markdown (GFM)
Library home page: https://api.github.com/repos/thephpleague/commonmark/zipball/84d74485fdb7074f4f9dd6f02ab957b1de513257
Dependency Hierarchy:
- laravel/framework-v8.83.25 (Root Library)
- ❌ league/commonmark-2.3.5 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing >. For example, <script\n> would pass through unfiltered and be rendered as a valid HTML tag by browsers. This is a cross-site scripting (XSS) vector for any application that relies on this extension to sanitize untrusted user input. All applications using the DisallowedRawHtml extension to process untrusted markdown are affected. Applications that use a dedicated HTML sanitizer (such as HTML Purifier) on the rendered output are not affected. This issue has been patched in version 2.8.1.
Publish Date: 2026-03-07
URL: CVE-2026-30838
CVSS 3 Score Details (4.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4v6x-c7xx-hw9f
Release Date: 2026-03-07
Fix Resolution: league/commonmark - 2.8.1
Step up your Open Source Security Game with Mend here
CVE-2024-50345
Vulnerable Library - symfony/http-foundation-v5.4.20
Defines an object-oriented layer for the HTTP specification
Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/d0435363362a47c14e9cf50663cb8ffbf491875a
Dependency Hierarchy:
- laravel/framework-v8.83.25 (Root Library)
- ❌ symfony/http-foundation-v5.4.20 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The "Request" class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the "Request" class to redirect users to another domain. The "Request::create" methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-11-06
URL: CVE-2024-50345
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-mrqx-rp3w-jpjp
Release Date: 2024-11-06
Fix Resolution: symfony/http-foundation - v5.4.46,symfony/http-foundation - v7.1.7,symfony/http-foundation - v6.4.14
Step up your Open Source Security Game with Mend here
CVE-2024-51736
Vulnerable Library - symfony/process-v5.4.11
Executes commands in sub-processes
Library home page: https://api.github.com/repos/symfony/process/zipball/6e75fe6874cbc7e4773d049616ab450eff537bf1
Dependency Hierarchy:
- laravel/framework-v8.83.25 (Root Library)
- ❌ symfony/process-v5.4.11 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named "cmd.exe" is located in the current working directory it will be called by the "Process" class when preparing command arguments, leading to possible hijacking. This issue has been addressed in release versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-11-06
URL: CVE-2024-51736
CVSS 3 Score Details (0.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-qq5c-677p-737q
Release Date: 2024-11-06
Fix Resolution: symfony/symfony - v6.4.14,symfony/process - v7.1.7,symfony/process - v5.4.46,symfony/process - v6.4.14,symfony/symfony - v7.1.7
Step up your Open Source Security Game with Mend here
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.
Publish Date: 2021-11-14
URL: CVE-2021-43617
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43617
Release Date: 2021-11-14
Fix Resolution: php-illuminate-session - 6.20.14+dfsg-2+deb11u1;php-illuminate-broadcasting - 6.20.14+dfsg-2+deb11u1;php-illuminate-config - 6.20.14+dfsg-2+deb11u1;php-illuminate-cookie - 6.20.14+dfsg-2+deb11u1;php-laravel-framework - 6.20.14+dfsg-2+deb11u1;php-illuminate-database - 6.20.14+dfsg-2+deb11u1;php-illuminate-translation - 6.20.14+dfsg-2+deb11u1;php-illuminate-support - 6.20.14+dfsg-2+deb11u1;php-illuminate-encryption - 6.20.14+dfsg-2+deb11u1;php-illuminate-hashing - 6.20.14+dfsg-2+deb11u1;php-illuminate-auth - 6.20.14+dfsg-2+deb11u1;php-illuminate-http - 6.20.14+dfsg-2+deb11u1;php-illuminate-mail - 6.20.14+dfsg-2+deb11u1;php-illuminate-view - 6.20.14+dfsg-2+deb11u1;php-illuminate-pipeline - 6.20.14+dfsg-2+deb11u1;php-illuminate-filesystem - 6.20.14+dfsg-2+deb11u1;php-illuminate-validation - 6.20.14+dfsg-2+deb11u1;php-illuminate-container - 6.20.14+dfsg-2+deb11u1;php-illuminate-notifications - 6.20.14+dfsg-2+deb11u1;php-illuminate-cache - 6.20.14+dfsg-2+deb11u1;php-illuminate-contracts - 6.20.14+dfsg-2+deb11u1;php-illuminate-routing - 6.20.14+dfsg-2+deb11u1;php-illuminate-queue - 6.20.14+dfsg-2+deb11u1;php-illuminate-redis - 6.20.14+dfsg-2+deb11u1;php-illuminate-bus - 6.20.14+dfsg-2+deb11u1;php-illuminate-log - 6.20.14+dfsg-2+deb11u1;php-illuminate-console - 6.20.14+dfsg-2+deb11u1;php-illuminate-pagination - 6.20.14+dfsg-2+deb11u1;php-illuminate-events - 6.20.14+dfsg-2+deb11u1
Step up your Open Source Security Game with Mend here
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
OS Command injection vulnerability in function link in Filesystem.php in Laravel Framework before 5.8.17.
Publish Date: 2021-12-20
URL: CVE-2020-19316
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.
Publish Date: 2018-08-09
URL: CVE-2018-15133
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-qvqm-h22r-4cp9
Release Date: 2018-08-09
Fix Resolution: laravel/framework - v5.6.30
Step up your Open Source Security Game with Mend here
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.
Publish Date: 2024-11-12
URL: CVE-2024-52301
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/http-foundation-v5.4.20
Defines an object-oriented layer for the HTTP specification
Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/d0435363362a47c14e9cf50663cb8ffbf491875a
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the "Request" class improperly interprets some "PATH_INFO" in a way that leads to representing some URLs with a path that doesn't start with a "/". This can allow bypassing some access control rules that are built with this "/"-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the "Request" class now ensures that URL paths always start with a "/".
Publish Date: 2025-11-12
URL: CVE-2025-64500
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-3rg7-wf37-54rm
Release Date: 2025-11-12
Fix Resolution: symfony/symfony - v7.3.7,symfony/symfony - v5.4.50,symfony/http-foundation - v6.4.29,symfony/http-foundation - v5.4.50,symfony/http-foundation - v7.3.7,symfony/symfony - v6.4.29
Step up your Open Source Security Game with Mend here
Vulnerable Library - nesbot/carbon-2.62.1
An API extension for DateTime that supports 281 different languages.
Library home page: https://api.github.com/repos/CarbonPHP/carbon/zipball/01bc4cdefe98ef58d1f9cb31bdbbddddf2a88f7a
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6.
Publish Date: 2025-01-08
URL: CVE-2025-22145
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-j3f9-p6hm-5w6q
Release Date: 2025-01-08
Fix Resolution: nesbot/carbon - 2.72.6,nesbot/carbon - 3.8.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.
Publish Date: 2021-01-19
URL: CVE-2021-21263
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-3p32-j457-pg5x
Release Date: 2021-01-19
Fix Resolution: v6.20.11,v7.30.2,v8.22.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Laravel is a web application framework. When using wildcard validation to validate a given file or image field ("files.*"), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.
Publish Date: 2025-03-05
URL: CVE-2025-27515
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here
Vulnerable Library - league/commonmark-2.3.5
Highly-extensible PHP Markdown parser which fully supports the CommonMark spec and GitHub-Flavored Markdown (GFM)
Library home page: https://api.github.com/repos/thephpleague/commonmark/zipball/84d74485fdb7074f4f9dd6f02ab957b1de513257
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
league/commonmark is a PHP Markdown parser. A cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configuration options such as "html_input: 'strip'" and "allow_unsafe_links: false" to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces. Version 2.7.0 contains three changes to prevent this XSS attack vector: All attributes starting with "on" are considered unsafe and blocked by default; support for an explicit allowlist of allowed HTML attributes; and manually-added "href" and "src" attributes now respect the existing "allow_unsafe_links" configuration option. If upgrading is not feasible, please consider disabling the "AttributesExtension" for untrusted users and/or filtering the rendered HTML through a library like HTMLPurifier.
Publish Date: 2025-05-05
URL: CVE-2025-46734
CVSS 3 Score Details (6.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-3527-qv2q-pfvx
Release Date: 2025-05-05
Fix Resolution: league/commonmark - 2.7.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - league/commonmark-2.3.5
Highly-extensible PHP Markdown parser which fully supports the CommonMark spec and GitHub-Flavored Markdown (GFM)
Library home page: https://api.github.com/repos/thephpleague/commonmark/zipball/84d74485fdb7074f4f9dd6f02ab957b1de513257
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2.
Publish Date: 2026-03-24
URL: CVE-2026-33347
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-hh8v-hgvp-g3f5
Release Date: 2026-03-20
Fix Resolution: league/commonmark - 2.8.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Impact Those using SQL Server with Laravel and allowing user input to be passed directly to the "limit" and "offset" functions are vulnerable to SQL injection. Other database drivers such as MySQL and Postgres are not affected by this vulnerability. Patches This problem has been patched on Laravel versions 6.20.26, 7.30.5, and 8.40.0. Workarounds You may workaround this vulnerability by ensuring that only integers are passed to the "limit" and "offset" functions, as well as the "skip" and "take" functions.
Publish Date: 2026-05-14
URL: WS-2021-0079
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
The authentication method in Laravel 8.x through 9.x before 9.32.0 was discovered to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing. This is caused by the early return inside the hasValidCredentials method in the Illuminate\Auth\SessionGuard class when a user is found to not exist.
Publish Date: 2023-04-25
URL: CVE-2022-40482
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user taken to another location in their browser due to XSS. This is due to the user being able to guess the parent placeholder SHA-1 hash by trying common names of sections. If the parent template contains an exploitable HTML structure an XSS vulnerability can be exposed. This vulnerability has been patched in versions 8.75.0, 7.30.6, and 6.20.42 by determining the parent placeholder at runtime and using a random hash that is unique to each request.
Publish Date: 2021-12-07
URL: CVE-2021-43808
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-66hf-2p6w-jqfw
Release Date: 2021-12-07
Fix Resolution: v6.20.42, v7.30.6, v8.75.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - league/commonmark-2.3.5
Highly-extensible PHP Markdown parser which fully supports the CommonMark spec and GitHub-Flavored Markdown (GFM)
Library home page: https://api.github.com/repos/thephpleague/commonmark/zipball/84d74485fdb7074f4f9dd6f02ab957b1de513257
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing >. For example, <script\n> would pass through unfiltered and be rendered as a valid HTML tag by browsers. This is a cross-site scripting (XSS) vector for any application that relies on this extension to sanitize untrusted user input. All applications using the DisallowedRawHtml extension to process untrusted markdown are affected. Applications that use a dedicated HTML sanitizer (such as HTML Purifier) on the rendered output are not affected. This issue has been patched in version 2.8.1.
Publish Date: 2026-03-07
URL: CVE-2026-30838
CVSS 3 Score Details (4.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4v6x-c7xx-hw9f
Release Date: 2026-03-07
Fix Resolution: league/commonmark - 2.8.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/http-foundation-v5.4.20
Defines an object-oriented layer for the HTTP specification
Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/d0435363362a47c14e9cf50663cb8ffbf491875a
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The "Request" class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the "Request" class to redirect users to another domain. The "Request::create" methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-11-06
URL: CVE-2024-50345
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-mrqx-rp3w-jpjp
Release Date: 2024-11-06
Fix Resolution: symfony/http-foundation - v5.4.46,symfony/http-foundation - v7.1.7,symfony/http-foundation - v6.4.14
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/process-v5.4.11
Executes commands in sub-processes
Library home page: https://api.github.com/repos/symfony/process/zipball/6e75fe6874cbc7e4773d049616ab450eff537bf1
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named "cmd.exe" is located in the current working directory it will be called by the "Process" class when preparing command arguments, leading to possible hijacking. This issue has been addressed in release versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-11-06
URL: CVE-2024-51736
CVSS 3 Score Details (0.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-qq5c-677p-737q
Release Date: 2024-11-06
Fix Resolution: symfony/symfony - v6.4.14,symfony/process - v7.1.7,symfony/process - v5.4.46,symfony/process - v6.4.14,symfony/symfony - v7.1.7
Step up your Open Source Security Game with Mend here