Approved changes feed: RSS · Atom
cpe:2.3:a:laravel:livewire:*:*:*:*:*:wordpress:*:*
part: a version: * update: *
| Vendor | Laravel (753b10ea-9525-5ae4-bc49-6f2cc8b8ce8c) |
|---|---|
| Product | Livewire (0515ea5b-5f92-5552-8696-75a1550fd72f) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | wordpress |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:composer/livewire/livewire |
purl2cpe | 2026-06-01 10:12:10.136595 |
pkg:github/livewire/livewire |
purl2cpe | 2026-06-01 10:12:10.136597 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2024-47823 |
vulnerable | 2026-06-08 06:48:13.316095 |
Livewire Remote Code Execution (RCE) on File Uploads
Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a “.php” file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute “.php” files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Published: 2024-10-08T17:48:36.496Z
Updated: 2025-07-17T18:22:08.024Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-22859 |
vulnerable | 2026-06-08 06:29:36.106308 |
Details available
Cross-Site Request Forgery (CSRF) vulnerability in livewire before v3.0.4, allows remote attackers to execute arbitrary code getCsrfToken function. NOTE: the vendor disputes this because the 5d88731 commit fixes a usability problem (HTTP 419 status codes for legitimate client activity), not a security problem.
Published: 2024-02-01T00:00:00.000Z
Updated: 2025-05-29T15:02:56.388Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-21504 |
vulnerable | 2026-06-08 06:27:35.444301 |
Details available
MEDIUM (6.1)
Versions of the package livewire/livewire from 3.3.5 and before 3.4.9 are vulnerable to Cross-site Scripting (XSS) when a page uses [Url] for a property. An attacker can inject HTML code in the context of the user's browser session by crafting a malicious link and convincing the user to click on it.
Published: 2024-03-19T05:00:00.698Z
Updated: 2024-08-27T20:55:55.163Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.