VulnerableCode Package Details - pkg:composer/livewire/livewire@3.5.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-5sj5-knp7-93e3 Aliases: CVE-2025-54068 GHSA-29cq-5w36-x7w3	Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction. This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible. No known workarounds are available.	3.6.4 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-5sj5-knp7-93e3
Aliases:
CVE-2025-54068
GHSA-29cq-5w36-x7w3

Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction. This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible. No known workarounds are available.

3.6.4
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-h7s5-tq2x-23gv	Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a “.php” file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute “.php” files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability.	CVE-2024-47823 GHSA-f3cx-396f-7jqp

Vulnerability

Summary

Aliases

VCID-h7s5-tq2x-23gv

Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a “.php” file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute “.php” files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE-2024-47823
GHSA-f3cx-396f-7jqp

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T20:07:16.958186+00:00	GitLab Importer	Affected by	VCID-5sj5-knp7-93e3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/livewire/livewire/CVE-2025-54068.yml	38.6.0
2026-06-12T19:42:31.536325+00:00	GitLab Importer	Fixing	VCID-h7s5-tq2x-23gv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/livewire/livewire/CVE-2024-47823.yml	38.6.0
2026-06-12T07:39:55.323559+00:00	GithubOSV Importer	Fixing	VCID-h7s5-tq2x-23gv	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-f3cx-396f-7jqp/GHSA-f3cx-396f-7jqp.json	38.6.0
2026-06-11T20:36:11.149778+00:00	GHSA Importer	Fixing	VCID-h7s5-tq2x-23gv	https://github.com/advisories/GHSA-f3cx-396f-7jqp	38.6.0