Laravel Livewire v3 through v3.6.3 contains a critical remote code execution vulnerability (CVE-2025-54068, CVSS 9.8) that allows unauthenticated attackers to execute commands through improper hydration of component property updates. KEV-listed with EPSS 16%, this vulnerability affects one of the most popular PHP frameworks, potentially compromising thousands of Laravel applications using Livewire for reactive server-side rendering.
Remote code execution in Island Lake Consulting's WebBatch prior to version 2025C allows remote attackers to run arbitrary code by supplying a crafted URL. Rated CVSS 9.8 with an unauthenticated network vector (PR:N/UI:N), the flaw stems from code injection (CWE-94) in the product's URL handling, giving full confidentiality, integrity, and availability compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-interaction profile makes it a high-priority patch candidate.