All Laravel Framework CVEs — Complete Vulnerability History
Laravel is PHP's most popular framework. The security team is active and releases patches regularly. Subscribe to the Laravel security mailing list and review releases before upgrading.
PHP
5M+ weekly downloads
3 CVEs total
2 CRITICAL
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2018-15133 | 2018 | CRITICAL | RCE via unserialize in remember_me cookie | Fixed 5.6.30 |
| CVE-2021-3129 | 2021 | CRITICAL | RCE via Ignition debug mode — widely exploited | Fixed 8.4.3 |
| CVE-2021-43503 | 2021 | HIGH | Mass assignment via model fillable bypass | Fixed 8.75 |
Current safe version: ^11.0
# Before
"laravel/framework": "^8.0"
# After
"laravel/framework": "^11.0"
Then run: composer install
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Is CVE-2021-3129 still being exploited?
Yes — Ignition's debug mode RCE is still found in production deployments running old Laravel versions. Never run APP_DEBUG=true in production. Update to 8.4.3+ immediately if you're affected.
Does Laravel auto-update minor versions?
Composer installs the latest matching version when you run composer update. Pin major versions in composer.json (^8.0) to avoid unintended breaking changes while still getting security patches.