CVE-2025-32931 | THREATINT

Description

DevDojo Voyager 1.4.0 through 1.8.0, when Laravel 8 or later is used, allows authenticated administrators to execute arbitrary OS commands via a specific php artisan command.

PUBLISHED Reserved 2025-04-14 | Published 2025-04-14 | Updated 2025-04-14 | Assigner mitre

CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Product status

Default status

unaffected

1.4.0 (semver)

affected

References

github.com/lishihihi/voyager-issue-report/

github.com/...voyager/blob/1.8/docs/core-concepts/compass.md

github.com/...rces/views/compass/includes/commands.blade.php

cve.org (CVE-2025-32931)

nvd.nist.gov (CVE-2025-32931)

Download JSON