Skip to main content

Laravel CVE-2025-54068

CRITICAL
Code Injection (CWE-94)
2025-07-17 security-advisories@github.com GHSA-29cq-5w36-x7w3
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Added to CISA KEV
Mar 20, 2026 - 18:36 cisa
CISA KEV
Analysis Generated
Mar 20, 2026 - 16:07 vuln.today
Patch released
Mar 20, 2026 - 16:07 nvd
Patch available
CVE Published
Jul 17, 2025 - 19:15 nvd
CRITICAL 9.8

DescriptionGitHub Advisory

Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction. This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible. No known workarounds are available.

AnalysisAI

Laravel Livewire v3 through v3.6.3 contains a critical remote code execution vulnerability (CVE-2025-54068, CVSS 9.8) that allows unauthenticated attackers to execute commands through improper hydration of component property updates. KEV-listed with EPSS 16%, this vulnerability affects one of the most popular PHP frameworks, potentially compromising thousands of Laravel applications using Livewire for reactive server-side rendering.

Technical ContextAI

Livewire is a full-stack framework for Laravel that enables reactive server-side rendering. Component state is serialized, sent to the client, and deserialized (hydrated) on subsequent requests. The vulnerability exists in how certain property updates are hydrated — attacker-controlled data can influence the hydration process to execute arbitrary PHP code. This affects Livewire v3 specifically (introduced in the v3 rewrite) and is exploitable without authentication on any page using vulnerable component patterns.

RemediationAI

Upgrade Livewire to v3.6.4 or later immediately. If unable to upgrade, review component property definitions for potentially vulnerable patterns. Rotate all secrets in .env after patching. Audit application logs for suspicious Livewire requests.

CVE-2017-16894 HIGH POC
7.5 Nov 20

In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwo

CVE-2025-53833 CRITICAL POC
10.0 Jul 14

LaRecipe versions prior to 2.8.1 contain a Server-Side Template Injection (SSTI) vulnerability that can lead to Remote C

CVE-2026-28289 CRITICAL POC
10.0 Mar 03

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

CVE-2026-27636 HIGH POC
8.8 Feb 25

Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that

CVE-2018-15133 HIGH POC
8.1 Aug 09

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unseri

CVE-2025-70841 CRITICAL POC
10.0 Feb 03

Dokans SaaS e-commerce platform v3.9.2 has a CVSS 10.0 authentication bypass allowing unauthenticated attackers to obtai

CVE-2026-27637 CRITICAL POC
9.8 Feb 25

Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers

CVE-2026-21448 CRITICAL POC
9.8 Jan 02

Bagisto eCommerce platform before 2.3.10 is vulnerable to server-side template injection (SSTI) through customer address

CVE-2026-21446 CRITICAL POC
9.8 Jan 02

Bagisto eCommerce platform (2.3 branch before 2.3.10) leaves installation API routes active after setup, allowing unauth

CVE-2022-2870 CRITICAL POC
9.8 Aug 17

A vulnerability was found in laravel 5.1 and classified as problematic. Rated critical severity (CVSS 9.8), this vulnera

CVE-2026-21449 HIGH POC
8.8 Jan 02

Bagisto eCommerce platform versions before 2.3.10 suffer from server-side template injection through user-controllable f

CVE-2022-2886 HIGH POC
8.8 Aug 19

A vulnerability, which was classified as critical, was found in Laravel 5.1. Rated high severity (CVSS 8.8), this vulner

Share

CVE-2025-54068 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy