Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/laravel/framework@6.20.2
purl pkg:composer/laravel/framework@6.20.2
Next non-vulnerable version 10.48.29
Latest non-vulnerable version 12.1.1
Risk 10.0
Vulnerabilities affecting this package (10)
Vulnerability Summary Fixed by
VCID-2ujb-xr8g-uqb4
Aliases:
CVE-2025-27515
GHSA-78fx-h6xr-vch4
Laravel is a web application framework. When using wildcard validation to validate a given file or image field (`files.*`), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.
10.48.29
Affected by 0 other vulnerabilities.
11.44.1
Affected by 0 other vulnerabilities.
12.1.1
Affected by 0 other vulnerabilities.
VCID-77hd-k355-aybk
Aliases:
CVE-2021-21263
GHSA-3p32-j457-pg5x
Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.
6.20.11
Affected by 10 other vulnerabilities.
6.20.12
Affected by 9 other vulnerabilities.
7.30.2
Affected by 8 other vulnerabilities.
7.30.3
Affected by 7 other vulnerabilities.
8.22.1
Affected by 9 other vulnerabilities.
VCID-dey5-mvbh-8kee
Aliases:
CVE-2021-43808
GHSA-66hf-2p6w-jqfw
Laravel Framework XSS in Blade templating engine
6.20.42
Affected by 3 other vulnerabilities.
7.30.6
Affected by 2 other vulnerabilities.
8.75.0
Affected by 3 other vulnerabilities.
VCID-dv5r-38eg-w3ea
Aliases:
CVE-2021-43617
GHSA-364w-9g92-3grq
Withdrawn: Laravel Framework does not sufficiently block the upload of executable PHP content.
8.73.0
Affected by 4 other vulnerabilities.
10.36.0
Affected by 2 other vulnerabilities.
VCID-eu4h-u34t-yfag
Aliases:
GHSA-wq8p-mqvg-2p5h
laravel framework SQL Injection via limit and offset functions
6.20.26
Affected by 5 other vulnerabilities.
7.30.5
Affected by 3 other vulnerabilities.
8.40.0
Affected by 5 other vulnerabilities.
VCID-muvu-yk1g-quam
Aliases:
CVE-2019-9081
GHSA-pfg4-p438-p874
Laravel Framework Deserialization Vulnerability The Illuminate component of Laravel Framework 5.7.x has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the `__destruct` method of the PendingCommand class in `PendingCommand.php`.
6.20.44
Affected by 2 other vulnerabilities.
VCID-sswb-j9k9-5ydj
Aliases:
GHSA-x7p5-p2c9-phvg
GMS-2021-114
GMS-2021-116
Unexpected database bindings This is a follow-up to the previous security advisory (GHSA-3p32-j457-pg5x) which addresses a few additional edge cases. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.
6.20.14
Affected by 7 other vulnerabilities.
7.30.4
Affected by 5 other vulnerabilities.
8.24.0
Affected by 7 other vulnerabilities.
VCID-u7f4-wtvf-gkbf
Aliases:
CVE-2024-52301
GHSA-gv7v-rgg6-548h
Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.
6.20.45
Affected by 1 other vulnerability.
7.30.7
Affected by 1 other vulnerability.
8.83.28
Affected by 1 other vulnerability.
9.0.0-beta.1
Affected by 2 other vulnerabilities.
9.52.17
Affected by 1 other vulnerability.
10.48.23
Affected by 1 other vulnerability.
11.31.0
Affected by 3 other vulnerabilities.
VCID-w6h7-vqjt-5khn
Aliases:
GHSA-jwvj-pwww-3mj5
laravel framework Unexpected database bindings via requests
6.20.14
Affected by 7 other vulnerabilities.
7.30.4
Affected by 5 other vulnerabilities.
8.24.0
Affected by 7 other vulnerabilities.
VCID-w7yr-t5fa-67ch
Aliases:
GHSA-4mg9-vhxq-vm7j
GMS-2021-113
GMS-2021-115
SQL Server LIMIT / OFFSET SQL Injection in laravel/framework and illuminate/database ### Impact Those using SQL Server with Laravel and allowing user input to be passed directly to the `limit` and `offset` functions are vulnerable to SQL injection. Other database drivers such as MySQL and Postgres are not affected by this vulnerability. ### Patches This problem has been patched on Laravel versions 6.20.26, 7.30.5, and 8.40.0. ### Workarounds You may workaround this vulnerability by ensuring that only integers are passed to the `limit` and `offset` functions, as well as the `skip` and `take` functions.
6.20.26
Affected by 5 other vulnerabilities.
8.40.0
Affected by 5 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-13T16:52:19.464966+00:00 GitLab Importer Affected by VCID-w7yr-t5fa-67ch https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/laravel/framework/GMS-2021-115.yml 38.6.0
2026-06-13T16:47:47.210749+00:00 GitLab Importer Affected by VCID-sswb-j9k9-5ydj https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/laravel/framework/GMS-2021-116.yml 38.6.0
2026-06-13T08:23:45.899265+00:00 GHSA Importer Affected by VCID-77hd-k355-aybk https://github.com/advisories/GHSA-3p32-j457-pg5x 38.6.0
2026-06-12T19:54:09.884504+00:00 GitLab Importer Affected by VCID-2ujb-xr8g-uqb4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/laravel/framework/CVE-2025-27515.yml 38.6.0
2026-06-12T19:46:35.200295+00:00 GitLab Importer Affected by VCID-u7f4-wtvf-gkbf https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/laravel/framework/CVE-2024-52301.yml 38.6.0
2026-06-12T19:29:01.635517+00:00 GitLab Importer Affected by VCID-eu4h-u34t-yfag https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/laravel/framework/GHSA-wq8p-mqvg-2p5h.yml 38.6.0
2026-06-12T19:28:46.111107+00:00 GitLab Importer Affected by VCID-w6h7-vqjt-5khn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/laravel/framework/GHSA-jwvj-pwww-3mj5.yml 38.6.0
2026-06-12T18:11:35.522355+00:00 GitLab Importer Affected by VCID-muvu-yk1g-quam https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/laravel/framework/CVE-2019-9081.yml 38.6.0
2026-06-12T17:53:29.820516+00:00 GitLab Importer Affected by VCID-dey5-mvbh-8kee https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/laravel/framework/CVE-2021-43808.yml 38.6.0
2026-06-12T17:51:58.920016+00:00 GitLab Importer Affected by VCID-dv5r-38eg-w3ea https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/laravel/framework/CVE-2021-43617.yml 38.6.0
2026-06-12T17:32:00.807566+00:00 GitLab Importer Affected by VCID-77hd-k355-aybk https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/laravel/framework/CVE-2021-21263.yml 38.6.0