CVE-2025-14894 | THREATINT

Description

Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup process within Laravel applications has been completed.

PUBLISHED Reserved 2025-12-18 | Published 2026-01-16 | Updated 2026-01-16 | Assigner certcc

Problem types

CWE-434 Unrestricted Upload of File with Dangerous Type

Product status

Any version before 1.0

affected

References

www.kb.cert.org/vuls/id/650657

github.com/livewire-filemanager/filemanager

hackingbydoing.wixsite.com/...ed-rce-in-livewire-filemanager

cve.org (CVE-2025-14894)

nvd.nist.gov (CVE-2025-14894)

Download JSON