CVE-2025-14894
CRITICAL WAF: Medium
CVSS 9.8
Published: 2026-01-16
CWE-434
Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup process within Laravel applications has been completed.
WAF Coverage Analysis
Unrestricted File Upload
Medium WAF Coverage
OWASP: A04:2021 Insecure Design
930xxx - Local File Inclusion
Affected Software
| Vendor | Product | Version |
|---|---|---|
| livewire-filemanager | filemanager | up to 1.0.0 |
References
- github.com (Product)
- hackingbydoing.wixsite.com (Not Applicable)
- www.kb.cert.org (Third Party Advisory)