CVE-2025-14894

CRITICAL
2026-01-16 [email protected] GHSA-9g95-48c6-r778
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 16, 2026 - 13:16 nvd
CRITICAL 9.8

Tags

PHP Laravel RCE Filemanager

Description

Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup process within Laravel applications has been completed.

Analysis

Livewire Filemanager for Laravel contains an unrestricted file upload vulnerability allowing unauthenticated attackers to upload and execute arbitrary files on the server.

Technical Context

LivewireFilemanagerComponent.php does not properly validate uploaded file types (CWE-434), allowing attackers to bypass restrictions and upload executable PHP files that are then accessible via the web server.

Affected Products

['Livewire Filemanager for Laravel']

Remediation

Update Livewire Filemanager. Implement server-side file type validation. Store uploads outside the web root. Disable PHP execution in upload directories.

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +49
POC: 0

Share

CVE-2025-14894 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy