Laravel Voyager Package Exposes Users to RCE Vulnerabilities
/ 1 min read
🕵️♂️ Critical vulnerabilities in Laravel’s Voyager package expose users to remote code execution risks. Three unpatched security flaws in the open-source PHP package Voyager, used for managing Laravel applications, could allow authenticated users to execute malicious code via crafted links. Discovered by SonarSource, the vulnerabilities include arbitrary file uploads, improper input sanitization, and file path manipulation, all of which can lead to severe security breaches. Despite attempts to notify Voyager maintainers, no response was received within the 90-day disclosure period. Users are advised to restrict access, limit permissions, and implement server-level security measures while considering alternative admin panel solutions until fixes are released. Voyager’s popularity, with over 2,700 forks and millions of downloads, heightens the urgency for a resolution.
