Approved changes feed: RSS · Atom

cpe:2.3:a:laravel:livewire:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorLaravel (753b10ea-9525-5ae4-bc49-6f2cc8b8ce8c)
ProductLivewire (0515ea5b-5f92-5552-8696-75a1550fd72f)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:composer/livewire/livewire purl2cpe 2026-06-01 10:12:10.072062
pkg:github/livewire/livewire purl2cpe 2026-06-01 10:12:10.072064

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2025-54068 vulnerable 2026-06-08 07:33:11.101871 Livewire vulnerable to remote command execution during property update hydration
Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction. This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible. No known workarounds are available.
Published: 2025-07-17T18:16:56.099Z
Updated: 2026-03-23T13:04:50.156Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-47823 vulnerable 2026-06-08 06:48:13.317572 Livewire Remote Code Execution (RCE) on File Uploads
Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a “.php” file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute “.php” files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Published: 2024-10-08T17:48:36.496Z
Updated: 2025-07-17T18:22:08.024Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-21504 vulnerable 2026-06-08 06:27:35.445704 Details available
MEDIUM (6.1)
Versions of the package livewire/livewire from 3.3.5 and before 3.4.9 are vulnerable to Cross-site Scripting (XSS) when a page uses [Url] for a property. An attacker can inject HTML code in the context of the user's browser session by crafting a malicious link and convincing the user to click on it.
Published: 2024-03-19T05:00:00.698Z
Updated: 2024-08-27T20:55:55.163Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.