CVE-2025-14894

Published: Jan 16, 2026Modified: Jan 23, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup process within Laravel applications has been completed.

Affected (1)

Products: Livewire Filemanager: Filemanager

Livewire Filemanager

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Livewire Filemanager Filemanager	Before 1.0.0

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (3)

https://github.com/livewire-filemanager/filemanager

Source: cret@cert.org

Product

https://hackingbydoing.wixsite.com/hackingbydoing/post/unauthenticated-rce-in-livewire-filemanager

Source: cret@cert.org

Not Applicable

https://www.kb.cert.org/vuls/id/650657

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.