What is the CVSS score of CVE-2025-70841?

CVE-2025-70841 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.1%.

Which versions of Laravel are affected by CVE-2025-70841?

A critical vulnerability in Dokans eCommerce Platform v3.9.2 exposes sensitive application configuration data, including database credentials and API keys, to unauthenticated attackers without…

Is there a public PoC exploit available for CVE-2025-70841?

Yes, a public proof-of-concept exploit is available for CVE-2025-70841. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-70841?

Within 24 hours: Take affected systems offline or restrict network access to the application, immediately audit logs for unauthorized access to /.env and related endpoints, and notify your incident response team and legal/compliance departments. Within 7 days: Rotate all exposed credentials (database passwords, API keys, secrets), conduct forensic analysis to determine scope of unauthorized access, and identify an upgrade or replacement platform. Within 30 days: Complete migration away from v3.9.2 to a patched version when available, perform full security assessment of exposed systems, and implement preventive controls to block direct access to configuration files.

Laravel CVE-2025-70841

CRITICAL

Improper Authentication (CWE-287)

2026-02-03 cve@mitre.org

Laravel Authentication Bypass Dokans

10.0

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

10.0 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 11, 2026 - 15:58 vuln.today

Public exploit code

CVE Published

Feb 03, 2026 - 18:16 nvd

CRITICAL 10.0

DescriptionCVE.org

Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key (APP_KEY), database credentials, SMTP/SendGrid API credentials, and internal configuration parameters, enabling complete system compromise including authentication bypass via session token forgery, direct database access to all tenant data, and email infrastructure takeover. Due to the multi-tenancy architecture, this vulnerability affects all tenants in the system.

AnalysisAI

Dokans SaaS e-commerce platform v3.9.2 has a CVSS 10.0 authentication bypass allowing unauthenticated attackers to obtain sensitive application secrets and tenant data.

Technical ContextAI

Dokans Multi-Tenancy Based eCommerce Platform SaaS v3.9.2 has a CWE-287 authentication bypass that allows unauthenticated remote attackers to access sensitive application secrets, API keys, and tenant-specific data.

RemediationAI

Update immediately. Rotate all API keys and payment credentials. Notify affected tenants.

CVE-2025-70841 vulnerability details – vuln.today

Back

Laravel CVE-2025-70841

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code