CVE-2025-54068

Warnung

Medienbericht

EPSS 45.98%
Veröffentlicht 17.07.2025 18:16:56
Zuletzt bearbeitet 20.03.2026 18:36:12
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction. This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible. No known workarounds are available.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 10

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Laravel ≫ Livewire Version >= 3.0.0 < 3.6.4

20.03.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog

Laravel Livewire Code Injection Vulnerability

Schwachstelle

Laravel Livewire contain a code injection vulnerability that could allow unauthenticated attackers to achieve remote command execution in specific scenarios.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	45.98%	0.976

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.2	0	0	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://thehackernews.com/2026/03/cisa-flags-apple-craft-cms-laravel-bugs.html

Medienbericht

TheHackersNews

21.03.2026 10:07

https://thehackernews.com/2026/03/weekly-recap-qualcomm-0-day-ios-exploit.html

Medienbericht

TheHackersNews

17.03.2026 22:20

https://github.com/livewire/livewire/security/advisories/GHSA-29cq-5w36-x7w3

Vendor Advisory

https://github.com/livewire/livewire/commit/ef04be759da41b14d2d129e670533180a44987dc

Patch