CVE-2025-14894

Critical CVSS: 9.8

Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup process within Laravel applications has been completed.

Vendor

Livewire-filemanager

Product

Filemanager

CWE

CWE-434

Yayın Tarihi

2026-01-16 13:16:11

Güncelleme

2026-01-23 17:04:25

Source Identifier

cret@cert.org

KEV Date Added

Kategoriler

CWE-434 Filemanager CRITICAL Livewire-filemanager 2026

Referanslar

https://github.com/livewire-filemanager/filemanager https://hackingbydoing.wixsite.com/hackingbydoing/post/unauthenticated-rce-in-livewire-filemanager https://www.kb.cert.org/vuls/id/650657

Benzer Kayıtlar

Medium

CVE-2025-46000

An arbitrary file upload vulnerability in the component /rsc/filemanager.rsc.class.php of Filemanager commit c75b914 v.2…

Critical

CVE-2025-46001

An arbitrary file upload vulnerability in the is_allowed_file_type() function of Filemanager v2.3.0 allows attackers to…

Medium

CVE-2025-46002

An issue in Filemanager v2.5.0 and below allows attackers to execute a directory traversal via sending a crafted HTTP re…