Skip to main content

Laravel CVE-2021-21263

MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2021-01-19 security-advisories@github.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jan 19, 2021 - 20:15 nvd
MEDIUM 5.3

DescriptionNVD

Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.

AnalysisAI

Laravel is a web application framework. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-74. Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results. Affected products include: Laravel. Version information: before 6.20.11.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2017-16894 HIGH POC
7.5 Nov 20

In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwo

CVE-2025-54068 CRITICAL POC
9.8 Jul 17

Laravel Livewire v3 through v3.6.3 contains a critical remote code execution vulnerability (CVE-2025-54068, CVSS 9.8) th

CVE-2025-53833 CRITICAL POC
10.0 Jul 14

LaRecipe versions prior to 2.8.1 contain a Server-Side Template Injection (SSTI) vulnerability that can lead to Remote C

CVE-2026-28289 CRITICAL POC
10.0 Mar 03

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

CVE-2026-27636 HIGH POC
8.8 Feb 25

Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that

CVE-2018-15133 HIGH POC
8.1 Aug 09

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unseri

CVE-2025-70841 CRITICAL POC
10.0 Feb 03

Dokans SaaS e-commerce platform v3.9.2 has a CVSS 10.0 authentication bypass allowing unauthenticated attackers to obtai

CVE-2026-27637 CRITICAL POC
9.8 Feb 25

Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers

CVE-2026-21448 CRITICAL POC
9.8 Jan 02

Bagisto eCommerce platform before 2.3.10 is vulnerable to server-side template injection (SSTI) through customer address

CVE-2026-21446 CRITICAL POC
9.8 Jan 02

Bagisto eCommerce platform (2.3 branch before 2.3.10) leaves installation API routes active after setup, allowing unauth

CVE-2022-2870 CRITICAL POC
9.8 Aug 17

A vulnerability was found in laravel 5.1 and classified as problematic. Rated critical severity (CVSS 9.8), this vulnera

CVE-2026-21449 HIGH POC
8.8 Jan 02

Bagisto eCommerce platform versions before 2.3.10 suffer from server-side template injection through user-controllable f

Share

CVE-2021-21263 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy