CVE-2025-14894

Опубликовано: 16 янв. 2026

Источник: nvd

CVSS3: 9.8

CVSS3: 7.5

EPSS Низкий

Описание

Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup process within Laravel applications has been completed.

Ссылки

https://github.com/livewire-filemanager/filemanager
Product
https://hackingbydoing.wixsite.com/hackingbydoing/post/unauthenticated-rce-in-livewire-filemanager
Not Applicable
https://www.kb.cert.org/vuls/id/650657
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:livewire-filemanager:filemanager:*:*:*:*:*:*:*:*

Версия до 1.0.0 (исключая)

EPSS

Процентиль: 12%

0.00039

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS3

Дефекты

CWE-434

Связанные уязвимости

GHSA-9g95-48c6-r778

CVSS3: 7.5

github

19 дней назад

Livewire Filemanager does not restrict uploaded file types

BDU:2026-00912

CVSS3: 9.8

fstec

19 дней назад

Уязвимость компонента LivewireFilemanagerComponent.php файлового менеджера Livewire Filemanager, позволяющая нарушителю выполнить пролизвольный код

EPSS

Процентиль: 12%

0.00039

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS3

Дефекты

CWE-434