Approved changes feed: RSS · Atom

cpe:2.3:a:laravel:livewire:*:*:*:*:*:wordpress:*:*

part: a version: * update: *

VendorLaravel (753b10ea-9525-5ae4-bc49-6f2cc8b8ce8c)
ProductLivewire (0515ea5b-5f92-5552-8696-75a1550fd72f)
Edition*
Language*
Software edition*
Target softwarewordpress
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:composer/livewire/livewire purl2cpe 2026-06-01 10:12:10.136595
pkg:github/livewire/livewire purl2cpe 2026-06-01 10:12:10.136597

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2024-47823 vulnerable 2026-06-08 06:48:13.316095 Livewire Remote Code Execution (RCE) on File Uploads
Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a “.php” file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute “.php” files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Published: 2024-10-08T17:48:36.496Z
Updated: 2025-07-17T18:22:08.024Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-22859 vulnerable 2026-06-08 06:29:36.106308 Details available
Cross-Site Request Forgery (CSRF) vulnerability in livewire before v3.0.4, allows remote attackers to execute arbitrary code getCsrfToken function. NOTE: the vendor disputes this because the 5d88731 commit fixes a usability problem (HTTP 419 status codes for legitimate client activity), not a security problem.
Published: 2024-02-01T00:00:00.000Z
Updated: 2025-05-29T15:02:56.388Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-21504 vulnerable 2026-06-08 06:27:35.444301 Details available
MEDIUM (6.1)
Versions of the package livewire/livewire from 3.3.5 and before 3.4.9 are vulnerable to Cross-site Scripting (XSS) when a page uses [Url] for a property. An attacker can inject HTML code in the context of the user's browser session by crafting a malicious link and convincing the user to click on it.
Published: 2024-03-19T05:00:00.698Z
Updated: 2024-08-27T20:55:55.163Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.