Laravel Framework Hit by High-Severity CRLF Injection Vulnerability (CVE-2026-48019) A critical CRLF injection vulnerability in the Laravel framework, tracked as CVE-2026-48019, has been disclosed, exposing applications to email header manipulation and unauthorized email transmissions. The flaw affects Laravel versions up to 13.9.0 and those before 12.60.0, with patches released in 13.10.0 and 12.60.0. The vulnerability arises from improper sanitization of carriage return and line feed (CRLF) sequences in email validation logic (classified as CWE-93). When user-supplied email inputs such as those from registration forms or password resets are processed without adequate sanitization, attackers can inject malicious control characters. This becomes particularly dangerous when combined with Laravel’s underlying Symfony Mailer and Symfony Mime components, which handle email delivery. Exploitation allows attackers to alter email headers, modify message content, or redirect messages all without requiring authentication or user interaction. Potential impacts include unauthorized email redirection, phishing campaigns, or abuse of mail servers for relay attacks, posing significant risks to confidentiality and integrity. The vulnerability has been assigned a CVSS v3.1 base score of 8.3 (High), reflecting its network-based attack vector, low complexity, and potential for downstream system compromise. Security researcher OmarXtream disclosed the flaw via GitHub advisory GHSA-5vg9-5847-vvmq, emphasizing the persistent risks of inadequate input validation in email handling. Organizations using affected Laravel versions particularly those processing untrusted email inputs are urged to upgrade immediately to mitigate exposure. While the maintainers have released patches, additional measures such as strict input validation and code review are recommended to prevent similar issues. The incident underscores the ongoing threat posed by email-based attack vectors, which remain a prime target for indirect exploitation in modern applications.

Critical RCE Vulnerability Discovered in Livewire Filemanager for Laravel (CVE-2025-14894) A high-severity security flaw (CVE-2025-14894, VU#650657) has been identified in Livewire Filemanager, a popular file management component used in Laravel web applications. The vulnerability, disclosed on January 16, 2026, allows unauthenticated attackers to execute arbitrary code on vulnerable servers by exploiting improper file validation. ### Root Cause & Exploitation The flaw stems from inadequate file type and MIME validation in the `LivewireFilemanagerComponent.php` component. Attackers can upload malicious PHP files via the web interface, which are then stored in the publicly accessible `/storage/` directory assuming the `php artisan storage:link` command was run during Laravel setup. Once uploaded, the files can be executed remotely, granting remote code execution (RCE) with the privileges of the web server user. ### Impact & Risks Successful exploitation enables: - Full system compromise, including unrestricted file read/write access. - Lateral movement to connected systems and infrastructure. - No authentication required attackers only need to upload a PHP webshell and access it via the storage URL. ### Affected Vendors & Response At the time of disclosure, no vendors (Bee Interactive, Laravel, Laravel Swiss) have acknowledged the vulnerability. The CERT/CC recommends immediate mitigation, including: - Removing web serving capability from the `/storage/` directory if unnecessary. - Implementing strict file upload restrictions (e.g., allowlists for safe file types, MIME validation). - Storing uploaded files outside web-accessible directories and disabling the public storage link if unused. The vulnerability highlights a critical gap in Livewire’s security model, which defers file validation to developers despite architectural risks. Organizations using the component are urged to apply protections independently.