Search

Find a vulnerability

Search criteria

    6 vulnerabilities by Laravel Holdings Inc.

    CVE-2020-36950 (GCVE-0-2020-36950)

    Vulnerability from nvd – Published: 2026-01-27 15:23 – Updated: 2026-04-07 14:05
    VLAI
    Title
    Laravel Nova 3.7.0 - 'range' DoS
    Summary
    Laravel Nova 3.7.0 contains a denial of service vulnerability that allows authenticated users to crash the application by manipulating the 'range' parameter. Attackers can send simultaneous requests with an extremely high range value to overwhelm and crash the server.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Date Public
    2020-12-04 00:00
    Credits
    iqzer0
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-36950",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-27T21:07:25.905338Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-27T21:35:57.367Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Laravel Nova",
              "vendor": "Laravel Holdings Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.7.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "iqzer0"
            }
          ],
          "datePublic": "2020-12-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Laravel Nova 3.7.0 contains a denial of service vulnerability that allows authenticated users to crash the application by manipulating the \u0027range\u0027 parameter. Attackers can send simultaneous requests with an extremely high range value to overwhelm and crash the server."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:05:07.091Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "ExploitDB-49198",
              "tags": [
                "exploit"
              ],
              "url": "https://www.exploit-db.com/exploits/49198"
            },
            {
              "name": "Laravel Nova Official Homepage",
              "tags": [
                "product"
              ],
              "url": "https://nova.laravel.com/"
            },
            {
              "name": "Laravel Nova Releases Page",
              "tags": [
                "patch"
              ],
              "url": "https://nova.laravel.com/releases"
            },
            {
              "name": "VulnCheck Advisory: Laravel Nova 3.7.0 - \u0027range\u0027 DoS",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/laravel-nova-range-dos"
            }
          ],
          "title": "Laravel Nova 3.7.0 - \u0027range\u0027 DoS",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2020-36950",
        "datePublished": "2026-01-27T15:23:50.926Z",
        "dateReserved": "2026-01-25T13:50:01.143Z",
        "dateUpdated": "2026-04-07T14:05:07.091Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-13919 (GCVE-0-2024-13919)

    Vulnerability from nvd – Published: 2025-03-10 10:03 – Updated: 2025-03-10 17:02
    VLAI
    Title
    Laravel Reflected XSS via Route Parameter in Debug-Mode Error Page
    Summary
    The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Laravel Holdings Inc. Laravel Framework Affected: 11.9.0 , ≤ 11.35.1 (custom)
    Create a notification for this product.
    Credits
    Fabian Funder (SBA Research) Philipp Adelsberger (SBA Research) Jeremy Angele
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-13919",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-10T12:38:06.695003Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-10T12:41:35.550Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-03-10T17:02:42.335Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/03/10/4"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Laravel Framework",
              "repo": "https://github.com/laravel/framework",
              "vendor": "Laravel Holdings Inc.",
              "versions": [
                {
                  "lessThanOrEqual": "11.35.1",
                  "status": "affected",
                  "version": "11.9.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The application must run with debug-mode enabled (\u003ctt\u003eAPP_DEBUG=true\u003c/tt\u003e)."
                }
              ],
              "value": "The application must run with debug-mode enabled (APP_DEBUG=true)."
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Fabian Funder (SBA Research)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Philipp Adelsberger (SBA Research)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Jeremy Angele"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page."
                }
              ],
              "value": "The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-10T10:03:01.374Z",
            "orgId": "1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a",
            "shortName": "sba-research"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20241209-02_Laravel_Reflected_XSS_via_Route_Parameter_in_Debug-Mode_Error_Page"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/laravel/framework/pull/53869"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://github.com/laravel/framework/releases/tag/v11.36.0"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to version 11.36.0 or later."
                }
              ],
              "value": "Update to version 11.36.0 or later."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Laravel Reflected XSS via Route Parameter in Debug-Mode Error Page",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Ensure that the application does not run in debug-mode by setting \u003ctt\u003eAPP_DEBUG=false\u003c/tt\u003e in your configuration."
                }
              ],
              "value": "Ensure that the application does not run in debug-mode by setting APP_DEBUG=false in your configuration."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a",
        "assignerShortName": "sba-research",
        "cveId": "CVE-2024-13919",
        "datePublished": "2025-03-10T10:03:01.374Z",
        "dateReserved": "2025-03-04T18:11:39.565Z",
        "dateUpdated": "2025-03-10T17:02:42.335Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-13918 (GCVE-0-2024-13918)

    Vulnerability from nvd – Published: 2025-03-10 10:02 – Updated: 2025-03-10 17:02
    VLAI
    Title
    Laravel Reflected XSS via Request Parameter in Debug-Mode Error Page
    Summary
    The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Laravel Holdings Inc. Laravel Framework Affected: 11.9.0 , ≤ 11.35.1 (custom)
    Create a notification for this product.
    Credits
    Fabian Funder (SBA Research) Philipp Adelsberger (SBA Research) Jeremy Angele
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-13918",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-10T12:55:25.311761Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-10T12:55:46.178Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-03-10T17:02:40.794Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/03/10/3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Laravel Framework",
              "repo": "https://github.com/laravel/framework",
              "vendor": "Laravel Holdings Inc.",
              "versions": [
                {
                  "lessThanOrEqual": "11.35.1",
                  "status": "affected",
                  "version": "11.9.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The application must run with debug-mode enabled (\u003ctt\u003eAPP_DEBUG=true\u003c/tt\u003e)."
                }
              ],
              "value": "The application must run with debug-mode enabled (APP_DEBUG=true)."
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Fabian Funder (SBA Research)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Philipp Adelsberger (SBA Research)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Jeremy Angele"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page."
                }
              ],
              "value": "The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-10T10:02:29.530Z",
            "orgId": "1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a",
            "shortName": "sba-research"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20241209-01_Laravel_Reflected_XSS_via_Request_Parameter_in_Debug-Mode_Error_Page"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/laravel/framework/pull/53869"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://github.com/laravel/framework/releases/tag/v11.36.0"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to version 11.36.0 or later."
                }
              ],
              "value": "Update to version 11.36.0 or later."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Laravel Reflected XSS via Request Parameter in Debug-Mode Error Page",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Ensure that the application does not run in debug-mode by setting \u003ctt\u003eAPP_DEBUG=false\u003c/tt\u003e in your configuration."
                }
              ],
              "value": "Ensure that the application does not run in debug-mode by setting APP_DEBUG=false in your configuration."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a",
        "assignerShortName": "sba-research",
        "cveId": "CVE-2024-13918",
        "datePublished": "2025-03-10T10:02:29.530Z",
        "dateReserved": "2025-03-04T18:11:33.625Z",
        "dateUpdated": "2025-03-10T17:02:40.794Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-36950 (GCVE-0-2020-36950)

    Vulnerability from cvelistv5 – Published: 2026-01-27 15:23 – Updated: 2026-04-07 14:05
    VLAI
    Title
    Laravel Nova 3.7.0 - 'range' DoS
    Summary
    Laravel Nova 3.7.0 contains a denial of service vulnerability that allows authenticated users to crash the application by manipulating the 'range' parameter. Attackers can send simultaneous requests with an extremely high range value to overwhelm and crash the server.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Date Public
    2020-12-04 00:00
    Credits
    iqzer0
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-36950",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-27T21:07:25.905338Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-27T21:35:57.367Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Laravel Nova",
              "vendor": "Laravel Holdings Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.7.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "iqzer0"
            }
          ],
          "datePublic": "2020-12-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Laravel Nova 3.7.0 contains a denial of service vulnerability that allows authenticated users to crash the application by manipulating the \u0027range\u0027 parameter. Attackers can send simultaneous requests with an extremely high range value to overwhelm and crash the server."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:05:07.091Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "ExploitDB-49198",
              "tags": [
                "exploit"
              ],
              "url": "https://www.exploit-db.com/exploits/49198"
            },
            {
              "name": "Laravel Nova Official Homepage",
              "tags": [
                "product"
              ],
              "url": "https://nova.laravel.com/"
            },
            {
              "name": "Laravel Nova Releases Page",
              "tags": [
                "patch"
              ],
              "url": "https://nova.laravel.com/releases"
            },
            {
              "name": "VulnCheck Advisory: Laravel Nova 3.7.0 - \u0027range\u0027 DoS",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/laravel-nova-range-dos"
            }
          ],
          "title": "Laravel Nova 3.7.0 - \u0027range\u0027 DoS",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2020-36950",
        "datePublished": "2026-01-27T15:23:50.926Z",
        "dateReserved": "2026-01-25T13:50:01.143Z",
        "dateUpdated": "2026-04-07T14:05:07.091Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-13919 (GCVE-0-2024-13919)

    Vulnerability from cvelistv5 – Published: 2025-03-10 10:03 – Updated: 2025-03-10 17:02
    VLAI
    Title
    Laravel Reflected XSS via Route Parameter in Debug-Mode Error Page
    Summary
    The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Laravel Holdings Inc. Laravel Framework Affected: 11.9.0 , ≤ 11.35.1 (custom)
    Create a notification for this product.
    Credits
    Fabian Funder (SBA Research) Philipp Adelsberger (SBA Research) Jeremy Angele
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-13919",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-10T12:38:06.695003Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-10T12:41:35.550Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-03-10T17:02:42.335Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/03/10/4"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Laravel Framework",
              "repo": "https://github.com/laravel/framework",
              "vendor": "Laravel Holdings Inc.",
              "versions": [
                {
                  "lessThanOrEqual": "11.35.1",
                  "status": "affected",
                  "version": "11.9.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The application must run with debug-mode enabled (\u003ctt\u003eAPP_DEBUG=true\u003c/tt\u003e)."
                }
              ],
              "value": "The application must run with debug-mode enabled (APP_DEBUG=true)."
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Fabian Funder (SBA Research)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Philipp Adelsberger (SBA Research)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Jeremy Angele"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page."
                }
              ],
              "value": "The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-10T10:03:01.374Z",
            "orgId": "1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a",
            "shortName": "sba-research"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20241209-02_Laravel_Reflected_XSS_via_Route_Parameter_in_Debug-Mode_Error_Page"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/laravel/framework/pull/53869"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://github.com/laravel/framework/releases/tag/v11.36.0"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to version 11.36.0 or later."
                }
              ],
              "value": "Update to version 11.36.0 or later."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Laravel Reflected XSS via Route Parameter in Debug-Mode Error Page",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Ensure that the application does not run in debug-mode by setting \u003ctt\u003eAPP_DEBUG=false\u003c/tt\u003e in your configuration."
                }
              ],
              "value": "Ensure that the application does not run in debug-mode by setting APP_DEBUG=false in your configuration."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a",
        "assignerShortName": "sba-research",
        "cveId": "CVE-2024-13919",
        "datePublished": "2025-03-10T10:03:01.374Z",
        "dateReserved": "2025-03-04T18:11:39.565Z",
        "dateUpdated": "2025-03-10T17:02:42.335Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-13918 (GCVE-0-2024-13918)

    Vulnerability from cvelistv5 – Published: 2025-03-10 10:02 – Updated: 2025-03-10 17:02
    VLAI
    Title
    Laravel Reflected XSS via Request Parameter in Debug-Mode Error Page
    Summary
    The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Laravel Holdings Inc. Laravel Framework Affected: 11.9.0 , ≤ 11.35.1 (custom)
    Create a notification for this product.
    Credits
    Fabian Funder (SBA Research) Philipp Adelsberger (SBA Research) Jeremy Angele
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-13918",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-10T12:55:25.311761Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-10T12:55:46.178Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-03-10T17:02:40.794Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/03/10/3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Laravel Framework",
              "repo": "https://github.com/laravel/framework",
              "vendor": "Laravel Holdings Inc.",
              "versions": [
                {
                  "lessThanOrEqual": "11.35.1",
                  "status": "affected",
                  "version": "11.9.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The application must run with debug-mode enabled (\u003ctt\u003eAPP_DEBUG=true\u003c/tt\u003e)."
                }
              ],
              "value": "The application must run with debug-mode enabled (APP_DEBUG=true)."
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Fabian Funder (SBA Research)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Philipp Adelsberger (SBA Research)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Jeremy Angele"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page."
                }
              ],
              "value": "The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-10T10:02:29.530Z",
            "orgId": "1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a",
            "shortName": "sba-research"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20241209-01_Laravel_Reflected_XSS_via_Request_Parameter_in_Debug-Mode_Error_Page"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/laravel/framework/pull/53869"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://github.com/laravel/framework/releases/tag/v11.36.0"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to version 11.36.0 or later."
                }
              ],
              "value": "Update to version 11.36.0 or later."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Laravel Reflected XSS via Request Parameter in Debug-Mode Error Page",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Ensure that the application does not run in debug-mode by setting \u003ctt\u003eAPP_DEBUG=false\u003c/tt\u003e in your configuration."
                }
              ],
              "value": "Ensure that the application does not run in debug-mode by setting APP_DEBUG=false in your configuration."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a",
        "assignerShortName": "sba-research",
        "cveId": "CVE-2024-13918",
        "datePublished": "2025-03-10T10:02:29.530Z",
        "dateReserved": "2025-03-04T18:11:33.625Z",
        "dateUpdated": "2025-03-10T17:02:40.794Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }