{"url":"http://public2.vulnerablecode.io/api/packages/466515?format=json","purl":"pkg:composer/laravel/framework@6.18.28","type":"composer","namespace":"laravel","name":"framework","version":"6.18.28","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"10.48.29","latest_non_vulnerable_version":"12.1.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44275?format=json","vulnerability_id":"VCID-2cvu-atev-9ke5","summary":"Withdrawn: Laravel Framework does not sufficiently block the upload of executable PHP content.\n# Withdrawn\n\nThis advisory has been withdrawn after the maintainers of Laravel noted this issue is not a security vulnerability with Laravel itself, but rather a userland issue.\n\n## Original CVE based description\n\nLaravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. In some use cases, this may be related to file-type validation for image upload (e.g., differences between getClientOriginalExtension and other approaches).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43617","reference_id":"","reference_type":"","scores":[{"value":"0.50135","scoring_system":"epss","scoring_elements":"0.97874","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43617"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43617","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43617"},{"reference_url":"https://github.com/laravel/framework","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework"},{"reference_url":"https://github.com/laravel/framework/blob/2049de73aa099a113a287587df4cc522c90961f5/src/Illuminate/Validation/Concerns/ValidatesAttributes.php#L1130-L1132","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework/blob/2049de73aa099a113a287587df4cc522c90961f5/src/Illuminate/Validation/Concerns/ValidatesAttributes.php#L1130-L1132"},{"reference_url":"https://github.com/laravel/framework/blob/2049de73aa099a113a287587df4cc522c90961f5/src/Illuminate/Validation/Concerns/ValidatesAttributes.php#L1331-L1333","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework/blob/2049de73aa099a113a287587df4cc522c90961f5/src/Illuminate/Validation/Concerns/ValidatesAttributes.php#L1331-L1333"},{"reference_url":"https://github.com/laravel/framework/pull/39666","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/laravel/framework/pull/39666"},{"reference_url":"https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43617","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43617"},{"reference_url":"https://salsa.debian.org/php-team/php/-/blob/dc253886b5b2e9bc8d9e36db787abb083a667fd8/debian/php-cgi.conf#L5-6","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://salsa.debian.org/php-team/php/-/blob/dc253886b5b2e9bc8d9e36db787abb083a667fd8/debian/php-cgi.conf#L5-6"},{"reference_url":"https://salsa.debian.org/php-team/php/-/commit/dc253886b5b2e9bc8d9e36db787abb083a667fd8","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://salsa.debian.org/php-team/php/-/commit/dc253886b5b2e9bc8d9e36db787abb083a667fd8"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002728","reference_id":"1002728","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002728"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/50525.txt","reference_id":"CVE-2021-43617","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/50525.txt"},{"reference_url":"https://github.com/advisories/GHSA-364w-9g92-3grq","reference_id":"GHSA-364w-9g92-3grq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-364w-9g92-3grq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371154?format=json","purl":"pkg:composer/laravel/framework@8.73.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-cckn-mmm4-9kcm"},{"vulnerability":"VCID-mbe6-x1yf-s3f9"},{"vulnerability":"VCID-t15x-xkys-b3gr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@8.73.0"},{"url":"http://public2.vulnerablecode.io/api/packages/390635?format=json","purl":"pkg:composer/laravel/framework@10.36.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-t15x-xkys-b3gr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@10.36.0"}],"aliases":["CVE-2021-43617","GHSA-364w-9g92-3grq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2cvu-atev-9ke5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/31957?format=json","vulnerability_id":"VCID-34wy-r24r-sua4","summary":"Laravel has a File Validation Bypass\nWhen using wildcard validation to validate a given file or image field array (`files.*`), a user-crafted malicious request could potentially bypass the validation rules.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27515","reference_id":"","reference_type":"","scores":[{"value":"0.00284","scoring_system":"epss","scoring_elements":"0.51958","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27515"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27515","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27515"},{"reference_url":"https://github.com/laravel/framework","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework"},{"reference_url":"https://github.com/laravel/framework/commit/2d133034fefddfb047838f4caca3687a3ba811a5","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework/commit/2d133034fefddfb047838f4caca3687a3ba811a5"},{"reference_url":"https://github.com/laravel/framework/commit/a4f7a8f9b83e21882abeef78c3174c66b0f4a26b","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework/commit/a4f7a8f9b83e21882abeef78c3174c66b0f4a26b"},{"reference_url":"https://github.com/laravel/framework/security/advisories/GHSA-78fx-h6xr-vch4","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework/security/advisories/GHSA-78fx-h6xr-vch4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27515","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27515"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103881","reference_id":"1103881","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103881"},{"reference_url":"https://github.com/advisories/GHSA-78fx-h6xr-vch4","reference_id":"GHSA-78fx-h6xr-vch4","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-78fx-h6xr-vch4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64843?format=json","purl":"pkg:composer/laravel/framework@10.48.29","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@10.48.29"},{"url":"http://public2.vulnerablecode.io/api/packages/64842?format=json","purl":"pkg:composer/laravel/framework@11.44.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@11.44.1"},{"url":"http://public2.vulnerablecode.io/api/packages/64841?format=json","purl":"pkg:composer/laravel/framework@12.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@12.1.1"}],"aliases":["CVE-2025-27515","GHSA-78fx-h6xr-vch4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-34wy-r24r-sua4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14408?format=json","vulnerability_id":"VCID-3bun-mty3-hfgv","summary":"laravel framework SQL Injection via limit and offset functions\n### Impact\nThose using SQL Server with Laravel and allowing user input to be passed directly to the limit and offset functions are vulnerable to SQL injection. Other database drivers such as MySQL and Postgres are not affected by this vulnerability.\n\n### Patches\nThis problem has been patched on Laravel versions 6.20.26, 7.30.5, and 8.40.0.\n\n### Workarounds\nYou may workaround this vulnerability by ensuring that only integers are passed to the limit and offset functions, as well as the skip and take functions.","references":[{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/2021-04-28.yaml","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/2021-04-28.yaml"},{"reference_url":"https://github.com/laravel/framework","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework"},{"reference_url":"https://github.com/laravel/framework/security/advisories/GHSA-4mg9-vhxq-vm7j","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework/security/advisories/GHSA-4mg9-vhxq-vm7j"},{"reference_url":"https://github.com/advisories/GHSA-wq8p-mqvg-2p5h","reference_id":"GHSA-wq8p-mqvg-2p5h","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wq8p-mqvg-2p5h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41141?format=json","purl":"pkg:composer/laravel/framework@6.20.26","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2cvu-atev-9ke5"},{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-4u2q-n52q-fudc"},{"vulnerability":"VCID-cckn-mmm4-9kcm"},{"vulnerability":"VCID-t15x-xkys-b3gr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@6.20.26"},{"url":"http://public2.vulnerablecode.io/api/packages/41142?format=json","purl":"pkg:composer/laravel/framework@7.30.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-cckn-mmm4-9kcm"},{"vulnerability":"VCID-t15x-xkys-b3gr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@7.30.5"},{"url":"http://public2.vulnerablecode.io/api/packages/41143?format=json","purl":"pkg:composer/laravel/framework@8.40.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2cvu-atev-9ke5"},{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-cckn-mmm4-9kcm"},{"vulnerability":"VCID-mbe6-x1yf-s3f9"},{"vulnerability":"VCID-t15x-xkys-b3gr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@8.40.0"}],"aliases":["GHSA-wq8p-mqvg-2p5h"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3bun-mty3-hfgv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46121?format=json","vulnerability_id":"VCID-467w-b463-hfb9","summary":"Improper Input Validation in Laravel\nAn issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $guarded property is mishandled in some situations involving requests with JSON column nesting expressions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-24941","reference_id":"","reference_type":"","scores":[{"value":"0.00214","scoring_system":"epss","scoring_elements":"0.43894","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-24941"},{"reference_url":"https://blog.laravel.com/security-release-laravel-61835-7240","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://blog.laravel.com/security-release-laravel-61835-7240"},{"reference_url":"https://github.com/laravel/framework/commit/897d107775737a958dbd0b2f3ea37877c7526371","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework/commit/897d107775737a958dbd0b2f3ea37877c7526371"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-24941","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-24941"},{"reference_url":"https://github.com/advisories/GHSA-w68r-5p45-5rqp","reference_id":"GHSA-w68r-5p45-5rqp","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-w68r-5p45-5rqp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80221?format=json","purl":"pkg:composer/laravel/framework@6.18.35","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2cvu-atev-9ke5"},{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-3bun-mty3-hfgv"},{"vulnerability":"VCID-4u2q-n52q-fudc"},{"vulnerability":"VCID-cckn-mmm4-9kcm"},{"vulnerability":"VCID-qj3x-8bvm-uqbb"},{"vulnerability":"VCID-qsrn-ajyf-a7a7"},{"vulnerability":"VCID-t15x-xkys-b3gr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@6.18.35"},{"url":"http://public2.vulnerablecode.io/api/packages/80222?format=json","purl":"pkg:composer/laravel/framework@7.24.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2cvu-atev-9ke5"},{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-3bun-mty3-hfgv"},{"vulnerability":"VCID-cckn-mmm4-9kcm"},{"vulnerability":"VCID-qj3x-8bvm-uqbb"},{"vulnerability":"VCID-qsrn-ajyf-a7a7"},{"vulnerability":"VCID-t15x-xkys-b3gr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@7.24.0"}],"aliases":["CVE-2020-24941","GHSA-w68r-5p45-5rqp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-467w-b463-hfb9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54330?format=json","vulnerability_id":"VCID-4u2q-n52q-fudc","summary":"Laravel Framework Deserialization Vulnerability\nThe Illuminate component of Laravel Framework 5.7.x has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the `__destruct` method of the PendingCommand class in `PendingCommand.php`.","references":[{"reference_url":"https://github.com/laravel/framework","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework"},{"reference_url":"https://github.com/laravel/framework/discussions/40184","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework/discussions/40184"},{"reference_url":"https://github.com/Laworigin/Laworigin.github.io/blob/master/2019/02/21/laravelv5-7%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96rce/index.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Laworigin/Laworigin.github.io/blob/master/2019/02/21/laravelv5-7%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96rce/index.html"},{"reference_url":"https://laworigin.github.io/2019/02/21/laravelv5-7%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96rce","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://laworigin.github.io/2019/02/21/laravelv5-7%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96rce"},{"reference_url":"https://laworigin.github.io/2019/02/21/laravelv5-7%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96rce/","reference_id":"","reference_type":"","scores":[],"url":"https://laworigin.github.io/2019/02/21/laravelv5-7%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96rce/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-9081","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-9081"},{"reference_url":"https://github.com/advisories/GHSA-pfg4-p438-p874","reference_id":"GHSA-pfg4-p438-p874","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-pfg4-p438-p874"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/103803?format=json","purl":"pkg:composer/laravel/framework@6.20.44","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-t15x-xkys-b3gr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@6.20.44"}],"aliases":["CVE-2019-9081","GHSA-pfg4-p438-p874"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4u2q-n52q-fudc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42650?format=json","vulnerability_id":"VCID-cckn-mmm4-9kcm","summary":"Laravel Framework XSS in Blade templating engine\nA security researcher has disclosed a possible XSS vulnerability in the Blade templating engine.\n\nGiven the following two Blade templates:\n\nresources/views/parent.blade.php:\n\n```html\n@section('content')\n<input value=\"{{ $value }}\">\n@show\n```\n\nresources/views/child.blade.php:\n\n```html\n@extends('parent')\n\n@section('content')\n<input value=\"{{ $value }}\">\n@endsection\n```\n\nAnd a route like the following:\n\n```php\nRoute::get('/example', function() {\n    $value = '//localhost/###parent-placeholder-040f06fd774092478d450774f5ba30c5da78acc8## onclick=location.assign(this.value);//';\n\n    return view('child', ['value' => $value]);\n});\n```\n\nThe broken HTML element may be clicked and the user is taken to another location in their browser due to XSS. This is due to the user being able to guess the parent placeholder SHA-1 hash by trying common names of sections. If the parent template contains an exploitable HTML structure an XSS vulnerability can be exposed.\n\nThis vulnerability has been patched by determining the parent placeholder at runtime and using a random hash that is unique to each request.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43808","reference_id":"","reference_type":"","scores":[{"value":"0.00359","scoring_system":"epss","scoring_elements":"0.58367","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43808"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43808","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43808"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/illuminate/view/CVE-2021-43808.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/illuminate/view/CVE-2021-43808.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2021-43808.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2021-43808.yaml"},{"reference_url":"https://github.com/laravel/framework","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework"},{"reference_url":"https://github.com/laravel/framework/commit/b8174169b1807f36de1837751599e2828ceddb9b","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework/commit/b8174169b1807f36de1837751599e2828ceddb9b"},{"reference_url":"https://github.com/laravel/framework/pull/39906","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework/pull/39906"},{"reference_url":"https://github.com/laravel/framework/pull/39908","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework/pull/39908"},{"reference_url":"https://github.com/laravel/framework/pull/39909","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework/pull/39909"},{"reference_url":"https://github.com/laravel/framework/releases/tag/v6.20.42","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework/releases/tag/v6.20.42"},{"reference_url":"https://github.com/laravel/framework/releases/tag/v7.30.6","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework/releases/tag/v7.30.6"},{"reference_url":"https://github.com/laravel/framework/releases/tag/v8.75.0","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework/releases/tag/v8.75.0"},{"reference_url":"https://github.com/laravel/framework/security/advisories/GHSA-66hf-2p6w-jqfw","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework/security/advisories/GHSA-66hf-2p6w-jqfw"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43808","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43808"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001333","reference_id":"1001333","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001333"},{"reference_url":"https://github.com/advisories/GHSA-66hf-2p6w-jqfw","reference_id":"GHSA-66hf-2p6w-jqfw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-66hf-2p6w-jqfw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76892?format=json","purl":"pkg:composer/laravel/framework@6.20.42","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-4u2q-n52q-fudc"},{"vulnerability":"VCID-t15x-xkys-b3gr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@6.20.42"},{"url":"http://public2.vulnerablecode.io/api/packages/76893?format=json","purl":"pkg:composer/laravel/framework@7.30.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-t15x-xkys-b3gr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@7.30.6"},{"url":"http://public2.vulnerablecode.io/api/packages/76894?format=json","purl":"pkg:composer/laravel/framework@8.75.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-mbe6-x1yf-s3f9"},{"vulnerability":"VCID-t15x-xkys-b3gr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@8.75.0"}],"aliases":["CVE-2021-43808","GHSA-66hf-2p6w-jqfw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cckn-mmm4-9kcm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14879?format=json","vulnerability_id":"VCID-f19v-y2u6-a7e1","summary":"Laravel Guard bypass in Eloquent models\nIn laravel releases before 6.18.34 and 7.23.2. It was possible to mass assign Eloquent attributes that included the model's table name:\n```\n$model->fill(['users.name' => 'Taylor']);\n```\nWhen doing so, Eloquent would remove the table name from the attribute for you. This was a \"convenience\" feature of Eloquent and was not documented.\n\nHowever, when paired with validation, this can lead to unexpected and unvalidated values being saved to the database. For this reason, we have removed the automatic stripping of table names from mass-asignment operations so that the attributes go through the typical \"fillable\" / \"guarded\" logic. Any attributes containing table names that are not explicitly declared as fillable will be discarded.\n\nThis security release will be a breaking change for applications that were relying on the undocumented table name stripping during mass assignment. Since this feature was relatively unknown and undocumented, we expect the vast majority of Laravel applications to be able to upgrade without issues.","references":[{"reference_url":"https://blog.laravel.com/security-release-laravel-61834-7232","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://blog.laravel.com/security-release-laravel-61834-7232"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/2020-08-06-1.yaml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/2020-08-06-1.yaml"},{"reference_url":"https://github.com/laravel/framework","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework"},{"reference_url":"https://github.com/advisories/GHSA-44pg-c29v-hp6r","reference_id":"GHSA-44pg-c29v-hp6r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-44pg-c29v-hp6r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/44309?format=json","purl":"pkg:composer/laravel/framework@6.18.34","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2cvu-atev-9ke5"},{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-3bun-mty3-hfgv"},{"vulnerability":"VCID-467w-b463-hfb9"},{"vulnerability":"VCID-4u2q-n52q-fudc"},{"vulnerability":"VCID-cckn-mmm4-9kcm"},{"vulnerability":"VCID-qj3x-8bvm-uqbb"},{"vulnerability":"VCID-qsrn-ajyf-a7a7"},{"vulnerability":"VCID-t15x-xkys-b3gr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@6.18.34"},{"url":"http://public2.vulnerablecode.io/api/packages/44310?format=json","purl":"pkg:composer/laravel/framework@7.23.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2cvu-atev-9ke5"},{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-3bun-mty3-hfgv"},{"vulnerability":"VCID-467w-b463-hfb9"},{"vulnerability":"VCID-cckn-mmm4-9kcm"},{"vulnerability":"VCID-qj3x-8bvm-uqbb"},{"vulnerability":"VCID-qsrn-ajyf-a7a7"},{"vulnerability":"VCID-t15x-xkys-b3gr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@7.23.2"}],"aliases":["GHSA-44pg-c29v-hp6r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f19v-y2u6-a7e1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14512?format=json","vulnerability_id":"VCID-jq25-23cd-5qem","summary":"Laravel RCE vulnerability in \"cookie\" session driver\nApplications using the \"cookie\" session driver that were also exposing an encryption oracle via their application were vulnerable to remote code execution. An encryption oracle is a mechanism where arbitrary user input is encrypted and the encrypted string is later displayed or exposed to the user. This combination of scenarios lets the user generate valid Laravel signed encryption strings for any plain-text string, thus allowing them to craft Laravel session payloads when an application is using the \"cookie\" driver.","references":[{"reference_url":"https://blog.laravel.com/laravel-cookie-security-releases","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://blog.laravel.com/laravel-cookie-security-releases"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/2020-07-27-1.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/2020-07-27-1.yaml"},{"reference_url":"https://github.com/laravel/framework","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework"},{"reference_url":"https://github.com/advisories/GHSA-qm5c-m76r-2hfr","reference_id":"GHSA-qm5c-m76r-2hfr","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qm5c-m76r-2hfr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41466?format=json","purl":"pkg:composer/laravel/framework@6.18.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2cvu-atev-9ke5"},{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-3bun-mty3-hfgv"},{"vulnerability":"VCID-467w-b463-hfb9"},{"vulnerability":"VCID-4u2q-n52q-fudc"},{"vulnerability":"VCID-cckn-mmm4-9kcm"},{"vulnerability":"VCID-f19v-y2u6-a7e1"},{"vulnerability":"VCID-qj3x-8bvm-uqbb"},{"vulnerability":"VCID-qsrn-ajyf-a7a7"},{"vulnerability":"VCID-t15x-xkys-b3gr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@6.18.31"},{"url":"http://public2.vulnerablecode.io/api/packages/41468?format=json","purl":"pkg:composer/laravel/framework@7.22.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2cvu-atev-9ke5"},{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-3bun-mty3-hfgv"},{"vulnerability":"VCID-467w-b463-hfb9"},{"vulnerability":"VCID-cckn-mmm4-9kcm"},{"vulnerability":"VCID-f19v-y2u6-a7e1"},{"vulnerability":"VCID-qj3x-8bvm-uqbb"},{"vulnerability":"VCID-qsrn-ajyf-a7a7"},{"vulnerability":"VCID-t15x-xkys-b3gr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@7.22.4"}],"aliases":["GHSA-qm5c-m76r-2hfr"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jq25-23cd-5qem"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14678?format=json","vulnerability_id":"VCID-qj3x-8bvm-uqbb","summary":"laravel framework Unexpected database bindings via requests\nThis is a follow-up to the security advisory https://github.com/laravel/framework/security/advisories/GHSA-3p32-j457-pg5x which addresses a few additional edge cases.\n\nIf a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.","references":[{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/2021-01-21.yaml","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/2021-01-21.yaml"},{"reference_url":"https://github.com/laravel/framework","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework"},{"reference_url":"https://github.com/laravel/framework/security/advisories/GHSA-x7p5-p2c9-phvg","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework/security/advisories/GHSA-x7p5-p2c9-phvg"},{"reference_url":"https://github.com/advisories/GHSA-jwvj-pwww-3mj5","reference_id":"GHSA-jwvj-pwww-3mj5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jwvj-pwww-3mj5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42307?format=json","purl":"pkg:composer/laravel/framework@6.20.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2cvu-atev-9ke5"},{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-3bun-mty3-hfgv"},{"vulnerability":"VCID-4u2q-n52q-fudc"},{"vulnerability":"VCID-cckn-mmm4-9kcm"},{"vulnerability":"VCID-t15x-xkys-b3gr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@6.20.14"},{"url":"http://public2.vulnerablecode.io/api/packages/42312?format=json","purl":"pkg:composer/laravel/framework@7.30.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2cvu-atev-9ke5"},{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-3bun-mty3-hfgv"},{"vulnerability":"VCID-cckn-mmm4-9kcm"},{"vulnerability":"VCID-t15x-xkys-b3gr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@7.30.4"},{"url":"http://public2.vulnerablecode.io/api/packages/42317?format=json","purl":"pkg:composer/laravel/framework@8.24.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2cvu-atev-9ke5"},{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-3bun-mty3-hfgv"},{"vulnerability":"VCID-cckn-mmm4-9kcm"},{"vulnerability":"VCID-mbe6-x1yf-s3f9"},{"vulnerability":"VCID-t15x-xkys-b3gr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@8.24.0"}],"aliases":["GHSA-jwvj-pwww-3mj5"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qj3x-8bvm-uqbb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42531?format=json","vulnerability_id":"VCID-qsrn-ajyf-a7a7","summary":"Query Binding Exploitation\n### Description\n\nLaravel versions <6.20.12, <7.30.3 & <8.22.1 contain a query binding exploitation.\n\nIf a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.\n\nThis vulnerability was discovered by Tim Groenevelt (tim.g@foodbyus.com).\n\n### References\n\n- https://github.com/laravel/framework/pull/35865","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21263","reference_id":"","reference_type":"","scores":[{"value":"0.01139","scoring_system":"epss","scoring_elements":"0.78713","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21263"},{"reference_url":"https://blog.laravel.com/security-laravel-62011-7302-8221-released","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://blog.laravel.com/security-laravel-62011-7302-8221-released"},{"reference_url":"https://blog.laravel.com/security-laravel-62012-7303-released","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://blog.laravel.com/security-laravel-62012-7303-released"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21263","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21263"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/illuminate/database/CVE-2021-21263.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/illuminate/database/CVE-2021-21263.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2021-21263.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2021-21263.yaml"},{"reference_url":"https://github.com/laravel/framework/pull/35865","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework/pull/35865"},{"reference_url":"https://github.com/laravel/framework/security/advisories/GHSA-3p32-j457-pg5x","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework/security/advisories/GHSA-3p32-j457-pg5x"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21263","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21263"},{"reference_url":"https://packagist.org/packages/illuminate/database","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/illuminate/database"},{"reference_url":"https://packagist.org/packages/laravel/framework","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/laravel/framework"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980095","reference_id":"980095","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980095"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76784?format=json","purl":"pkg:composer/laravel/framework@6.20.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2cvu-atev-9ke5"},{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-3bun-mty3-hfgv"},{"vulnerability":"VCID-4u2q-n52q-fudc"},{"vulnerability":"VCID-cckn-mmm4-9kcm"},{"vulnerability":"VCID-qj3x-8bvm-uqbb"},{"vulnerability":"VCID-qsrn-ajyf-a7a7"},{"vulnerability":"VCID-t15x-xkys-b3gr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@6.20.11"},{"url":"http://public2.vulnerablecode.io/api/packages/466541?format=json","purl":"pkg:composer/laravel/framework@6.20.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2cvu-atev-9ke5"},{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-3bun-mty3-hfgv"},{"vulnerability":"VCID-4u2q-n52q-fudc"},{"vulnerability":"VCID-cckn-mmm4-9kcm"},{"vulnerability":"VCID-qj3x-8bvm-uqbb"},{"vulnerability":"VCID-t15x-xkys-b3gr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@6.20.12"},{"url":"http://public2.vulnerablecode.io/api/packages/76785?format=json","purl":"pkg:composer/laravel/framework@7.30.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2cvu-atev-9ke5"},{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-3bun-mty3-hfgv"},{"vulnerability":"VCID-cckn-mmm4-9kcm"},{"vulnerability":"VCID-qj3x-8bvm-uqbb"},{"vulnerability":"VCID-qsrn-ajyf-a7a7"},{"vulnerability":"VCID-t15x-xkys-b3gr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@7.30.2"},{"url":"http://public2.vulnerablecode.io/api/packages/466612?format=json","purl":"pkg:composer/laravel/framework@7.30.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2cvu-atev-9ke5"},{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-3bun-mty3-hfgv"},{"vulnerability":"VCID-cckn-mmm4-9kcm"},{"vulnerability":"VCID-qj3x-8bvm-uqbb"},{"vulnerability":"VCID-t15x-xkys-b3gr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@7.30.3"},{"url":"http://public2.vulnerablecode.io/api/packages/76780?format=json","purl":"pkg:composer/laravel/framework@8.22.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2cvu-atev-9ke5"},{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-3bun-mty3-hfgv"},{"vulnerability":"VCID-cckn-mmm4-9kcm"},{"vulnerability":"VCID-mbe6-x1yf-s3f9"},{"vulnerability":"VCID-qj3x-8bvm-uqbb"},{"vulnerability":"VCID-t15x-xkys-b3gr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@8.22.1"}],"aliases":["CVE-2021-21263","GHSA-3p32-j457-pg5x"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qsrn-ajyf-a7a7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/12334?format=json","vulnerability_id":"VCID-t15x-xkys-b3gr","summary":"Laravel environment manipulation via query string\n## Description\n\nWhen the `register_argc_argv php` directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request.\n\n## Resolution\n\nThe framework now ignores argv values for environment detection on non-cli SAPIs.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52301","reference_id":"","reference_type":"","scores":[{"value":"0.65712","scoring_system":"epss","scoring_elements":"0.9852","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52301"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52301","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52301"},{"reference_url":"https://github.com/advisories/GHSA-gv7v-rgg6-548h","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gv7v-rgg6-548h"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2024-52301.yaml","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2024-52301.yaml"},{"reference_url":"https://github.com/laravel/framework","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework"},{"reference_url":"https://github.com/laravel/framework/security/advisories/GHSA-gv7v-rgg6-548h","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-13T14:51:08Z/"}],"url":"https://github.com/laravel/framework/security/advisories/GHSA-gv7v-rgg6-548h"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/12/msg00019.html","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2024/12/msg00019.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52301","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52301"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088189","reference_id":"1088189","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088189"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/611968?format=json","purl":"pkg:composer/laravel/framework@9.0.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-mbe6-x1yf-s3f9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@9.0.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/36662?format=json","purl":"pkg:composer/laravel/framework@6.20.45","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-34wy-r24r-sua4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@6.20.45"},{"url":"http://public2.vulnerablecode.io/api/packages/36663?format=json","purl":"pkg:composer/laravel/framework@7.30.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-34wy-r24r-sua4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@7.30.7"},{"url":"http://public2.vulnerablecode.io/api/packages/36664?format=json","purl":"pkg:composer/laravel/framework@8.83.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-34wy-r24r-sua4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@8.83.28"},{"url":"http://public2.vulnerablecode.io/api/packages/36665?format=json","purl":"pkg:composer/laravel/framework@9.52.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-34wy-r24r-sua4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@9.52.17"},{"url":"http://public2.vulnerablecode.io/api/packages/36666?format=json","purl":"pkg:composer/laravel/framework@10.48.23","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-34wy-r24r-sua4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@10.48.23"},{"url":"http://public2.vulnerablecode.io/api/packages/36668?format=json","purl":"pkg:composer/laravel/framework@11.31.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-34wy-r24r-sua4"},{"vulnerability":"VCID-91ac-stz5-myff"},{"vulnerability":"VCID-g4ug-cdv8-6qhd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@11.31.0"}],"aliases":["CVE-2024-52301","GHSA-gv7v-rgg6-548h"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t15x-xkys-b3gr"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@6.18.28"}