GHSA-9g95-48c6-r778

Source

https://github.com/advisories/GHSA-9g95-48c6-r778

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-9g95-48c6-r778/GHSA-9g95-48c6-r778.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9g95-48c6-r778

Aliases

CVE-2025-14894

Published

2026-01-16T15:31:24Z

Modified

2026-02-03T03:08:36.935614Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Livewire Filemanager does not restrict uploaded file types

Details

Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup process within Laravel applications has been completed.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-20T18:17:02Z",
    "cwe_ids": [
        "CWE-434"
    ],
    "nvd_published_at": "2026-01-16T13:16:11Z",
    "severity": "HIGH"
}

References

Affected packages

Packagist / livewire-filemanager/filemanager

Package

Name: livewire-filemanager/filemanager
Purl: pkg:composer/livewire-filemanager/filemanager

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.0.4

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v0.1.6

v0.1.7

v0.1.8

v0.1.9

v0.1.10

v0.1.11

v0.1.13

v0.1.14

v0.1.15

v0.1.16

v0.1.17

v0.1.18

v0.1.19

v0.1.20

v0.1.21

v0.1.22

v0.1.23

v0.1.24

v0.1.25

v0.1.26

v0.1.27

v0.1.28

v0.1.29

v0.1.30

v0.1.31

v0.1.32

v0.1.33

v0.1.34

v0.1.35

v0.1.36

v0.1.37

v0.1.38

v0.1.39

v0.1.40

v0.1.41

v0.1.42

v0.1.43

v0.1.44

v0.1.45

v0.1.46

v0.1.47

v0.1.48

v0.1.49

v0.1.50

v0.1.51

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-9g95-48c6-r778/GHSA-9g95-48c6-r778.json"