Search for vulnerabilities
| Vulnerability ID | VCID-zj39-eevs-kug3 |
| Aliases |
GHSA-4mg9-vhxq-vm7j
GMS-2021-113 GMS-2021-115 |
| Summary | SQL Server LIMIT / OFFSET SQL Injection in laravel/framework and illuminate/database ### Impact Those using SQL Server with Laravel and allowing user input to be passed directly to the `limit` and `offset` functions is vulnerable to SQL injection. Other database drivers such as MySQL and Postgres are not affected by this vulnerability. ### Patches This problem has been patched on Laravel versions 6.20.26, 7.30.5, and 8.40.0. ### Workarounds You may workaround this vulnerability by ensuring that only integers are passed to the `limit` and `offset` functions, as well as the `skip` and `take` functions. |
| Status | Published |
| Exploitability | 0.5 |
| Weighted Severity | 8.0 |
| Risk | 4.0 |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| generic_textual | HIGH | https://github.com/laravel/framework |
| generic_textual | HIGH | https://github.com/laravel/framework/security/advisories/GHSA-4mg9-vhxq-vm7j |
| generic_textual | HIGH | https://packagist.org/packages/illuminate/database |
| generic_textual | HIGH | https://packagist.org/packages/laravel/framework |
| Reference id | Reference type | URL |
|---|---|---|
| https://github.com/laravel/framework | ||
| https://packagist.org/packages/illuminate/database | ||
| https://packagist.org/packages/laravel/framework | ||
| GHSA-4mg9-vhxq-vm7j | https://github.com/advisories/GHSA-4mg9-vhxq-vm7j | |
| GHSA-4mg9-vhxq-vm7j | https://github.com/laravel/framework/security/advisories/GHSA-4mg9-vhxq-vm7j |
No EPSS data available for this vulnerability.
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-06-04T16:21:07.347994+00:00 | GitLab Importer | Import | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/illuminate/database/GMS-2021-113.yml | 38.6.0 |