Critical RCE Vulnerability Discovered in Livewire Filemanager for Laravel (CVE-2025-14894) A high-severity security flaw (CVE-2025-14894, VU#650657) has been identified in Livewire Filemanager, a popular file management component used in Laravel web applications. The vulnerability, disclosed on January 16, 2026, allows unauthenticated attackers to execute arbitrary code on vulnerable servers by exploiting improper file validation. ### Root Cause & Exploitation The flaw stems from inadequate file type and MIME validation in the `LivewireFilemanagerComponent.php` component. Attackers can upload malicious PHP files via the web interface, which are then stored in the publicly accessible `/storage/` directory assuming the `php artisan storage:link` command was run during Laravel setup. Once uploaded, the files can be executed remotely, granting remote code execution (RCE) with the privileges of the web server user. ### Impact & Risks Successful exploitation enables: - Full system compromise, including unrestricted file read/write access. - Lateral movement to connected systems and infrastructure. - No authentication required attackers only need to upload a PHP webshell and access it via the storage URL. ### Affected Vendors & Response At the time of disclosure, no vendors (Bee Interactive, Laravel, Laravel Swiss) have acknowledged the vulnerability. The CERT/CC recommends immediate mitigation, including: - Removing web serving capability from the `/storage/` directory if unnecessary. - Implementing strict file upload restrictions (e.g., allowlists for safe file types, MIME validation). - Storing uploaded files outside web-accessible directories and disabling the public storage link if unused. The vulnerability highlights a critical gap in Livewire’s security model, which defers file validation to developers despite architectural risks. Organizations using the component are urged to apply protections independently.