← Kembali ke database
CVE-2025-14894 Tinggi Sudah Ditambal

Livewire Filemanager Unauth Upload RCE

Missing MIME validation on Livewire upload component enables PHP shell upload.

Versi Terdampak
livewire-filemanager/filemanager < 1.0.5
Ditemukan
August 1, 2025
Public Livewire component accepts arbitrary extensions. Combined with `storage:link`, uploaded PHP is web-accessible.

Proof of Concept

terminal — bash 
# Upload .php via Livewire component → GET /storage/.../shell.php