Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/livewire/livewire@2.12.7
purl pkg:composer/livewire/livewire@2.12.7
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-h7s5-tq2x-23gv Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a “.php” file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute “.php” files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2024-47823
GHSA-f3cx-396f-7jqp

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-12T19:42:31.288892+00:00 GitLab Importer Fixing VCID-h7s5-tq2x-23gv https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/livewire/livewire/CVE-2024-47823.yml 38.6.0
2026-06-12T07:39:55.375941+00:00 GithubOSV Importer Fixing VCID-h7s5-tq2x-23gv https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f3cx-396f-7jqp/GHSA-f3cx-396f-7jqp.json 38.6.0
2026-06-11T20:36:11.179403+00:00 GHSA Importer Fixing VCID-h7s5-tq2x-23gv https://github.com/advisories/GHSA-f3cx-396f-7jqp 38.6.0