{"url":"http://public2.vulnerablecode.io/api/packages/102920?format=json","purl":"pkg:composer/laravel/framework@5.1.27","type":"composer","namespace":"laravel","name":"framework","version":"5.1.27","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.5.42","latest_non_vulnerable_version":"10.36.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/12248?format=json","vulnerability_id":"VCID-37bm-7qzp-muc4","summary":"Cryptographic Issues\nExploit of encryption failure vulnerability","references":[{"reference_url":"https://medium.com/@taylorotwell/laravel-security-release-5-6-15-and-5-5-40-56f1257933a0","reference_id":"","reference_type":"","scores":[],"url":"https://medium.com/@taylorotwell/laravel-security-release-5-6-15-and-5-5-40-56f1257933a0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/102939?format=json","purl":"pkg:composer/laravel/framework@5.2.0-beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8sv6-ekm9-mfbe"},{"vulnerability":"VCID-hefc-6417-s3bm"},{"vulnerability":"VCID-y3ex-8u6x-wybk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@5.2.0-beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/102984?format=json","purl":"pkg:composer/laravel/framework@5.3.0-RC1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8sv6-ekm9-mfbe"},{"vulnerability":"VCID-hefc-6417-s3bm"},{"vulnerability":"VCID-y3ex-8u6x-wybk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@5.3.0-RC1"},{"url":"http://public2.vulnerablecode.io/api/packages/54234?format=json","purl":"pkg:composer/laravel/framework@5.5.40","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-j51t-hy9s-wfds"},{"vulnerability":"VCID-z6e8-6d7p-17g4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@5.5.40"},{"url":"http://public2.vulnerablecode.io/api/packages/54235?format=json","purl":"pkg:composer/laravel/framework@5.6.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-z6e8-6d7p-17g4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@5.6.15"},{"url":"http://public2.vulnerablecode.io/api/packages/89283?format=json","purl":"pkg:composer/laravel/framework@10.36.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@10.36.0"}],"aliases":["GMS-2018-72"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-37bm-7qzp-muc4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11647?format=json","vulnerability_id":"VCID-8sv6-ekm9-mfbe","summary":"Close remember_me Timing Attack Vector\nThis package mishandles the `remember_me token` verification process because `DatabaseUserProvider` does not have constant-time token comparison.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-14775","reference_id":"","reference_type":"","scores":[{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52591","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-14775"},{"reference_url":"https://github.com/laravel/framework/pull/21320","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/laravel/framework/pull/21320"},{"reference_url":"https://github.com/laravel/framework/releases/tag/v5.5.10","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/laravel/framework/releases/tag/v5.5.10"},{"reference_url":"https://laravel-news.com/laravel-v5-5-11","reference_id":"","reference_type":"","scores":[],"url":"https://laravel-news.com/laravel-v5-5-11"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53172?format=json","purl":"pkg:composer/laravel/framework@5.5.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37bm-7qzp-muc4"},{"vulnerability":"VCID-y3ex-8u6x-wybk"},{"vulnerability":"VCID-z6e8-6d7p-17g4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@5.5.10"}],"aliases":["CVE-2017-14775"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8sv6-ekm9-mfbe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11415?format=json","vulnerability_id":"VCID-hefc-6417-s3bm","summary":"User phishing\nThere's a vulnerability that allows phishing attempts on users of the application. Using the password reset system, malicious users can attempt to trick your users into entering their login credentials into a separate application that they control. Since the password reset notification uses the host of the incoming request to build the password reset URL, the host of the password reset URL may be spoofed. If users do not notice that they are not on their intended application's domain, they may accidentally enter their login credentials into a malicious application.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-9303","reference_id":"","reference_type":"","scores":[{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.4234","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-9303"},{"reference_url":"https://github.com/laravel/framework/issues/18697","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/laravel/framework/issues/18697"},{"reference_url":"https://laravel.com/docs/5.4/releases#laravel-5.4.22","reference_id":"","reference_type":"","scores":[],"url":"https://laravel.com/docs/5.4/releases#laravel-5.4.22"},{"reference_url":"https://laravel-news.com/laravel-5-4-22-is-now-released-and-includes-a-security-fix","reference_id":"","reference_type":"","scores":[],"url":"https://laravel-news.com/laravel-5-4-22-is-now-released-and-includes-a-security-fix"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52597?format=json","purl":"pkg:composer/laravel/framework@5.4.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37bm-7qzp-muc4"},{"vulnerability":"VCID-8sv6-ekm9-mfbe"},{"vulnerability":"VCID-y3ex-8u6x-wybk"},{"vulnerability":"VCID-z6e8-6d7p-17g4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@5.4.22"}],"aliases":["CVE-2017-9303"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hefc-6417-s3bm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/12247?format=json","vulnerability_id":"VCID-y3ex-8u6x-wybk","summary":"Unsafe payload decryption\nThere's a potential exploit of the Laravel Encrypter component that may cause the Encrypter to fail on decryption and unexpectedly return false. To exploit this, the attacker must be able to modify the encrypted payload before it is decrypted. This could lead to unexpected behavior when combined with weak type comparisons.","references":[{"reference_url":"https://medium.com/@taylorotwell/laravel-security-release-5-6-15-and-5-5-40-56f1257933a0","reference_id":"","reference_type":"","scores":[],"url":"https://medium.com/@taylorotwell/laravel-security-release-5-6-15-and-5-5-40-56f1257933a0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54234?format=json","purl":"pkg:composer/laravel/framework@5.5.40","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-j51t-hy9s-wfds"},{"vulnerability":"VCID-z6e8-6d7p-17g4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@5.5.40"},{"url":"http://public2.vulnerablecode.io/api/packages/54235?format=json","purl":"pkg:composer/laravel/framework@5.6.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-z6e8-6d7p-17g4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@5.6.15"},{"url":"http://public2.vulnerablecode.io/api/packages/89283?format=json","purl":"pkg:composer/laravel/framework@10.36.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@10.36.0"}],"aliases":["GMS-2018-27"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y3ex-8u6x-wybk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/12865?format=json","vulnerability_id":"VCID-z6e8-6d7p-17g4","summary":"Session Fixation\nCookie serialization vulnerability in laravel framework.","references":[{"reference_url":"https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30","reference_id":"","reference_type":"","scores":[],"url":"https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/102939?format=json","purl":"pkg:composer/laravel/framework@5.2.0-beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8sv6-ekm9-mfbe"},{"vulnerability":"VCID-hefc-6417-s3bm"},{"vulnerability":"VCID-y3ex-8u6x-wybk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@5.2.0-beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/102984?format=json","purl":"pkg:composer/laravel/framework@5.3.0-RC1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8sv6-ekm9-mfbe"},{"vulnerability":"VCID-hefc-6417-s3bm"},{"vulnerability":"VCID-y3ex-8u6x-wybk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@5.3.0-RC1"},{"url":"http://public2.vulnerablecode.io/api/packages/55318?format=json","purl":"pkg:composer/laravel/framework@5.5.42","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@5.5.42"},{"url":"http://public2.vulnerablecode.io/api/packages/55319?format=json","purl":"pkg:composer/laravel/framework@5.6.30","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@5.6.30"},{"url":"http://public2.vulnerablecode.io/api/packages/89283?format=json","purl":"pkg:composer/laravel/framework@10.36.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@10.36.0"}],"aliases":["GMS-2018-73"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z6e8-6d7p-17g4"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@5.1.27"}