Improper Encoding or Escaping of Output Affecting laravel/framework package, versions <12.61.1>=13.0.0, <13.12.0


Severity

Recommended
0.0
low
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-LARAVELFRAMEWORK-17660423
  • published27 Jun 2026
  • disclosed17 Jun 2026
  • creditUnknown

Introduced: 17 Jun 2026

New CVE NOT AVAILABLE CWE-116  (opens in a new tab)

How to fix?

Upgrade laravel/framework to version 12.61.1, 13.12.0 or higher.

Overview

laravel/framework is a PHP framework for web artisans.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the parsing of temporary signed URLs by the local filesystem driver. An attacker can access unintended resources or bypass expiration enforcement by crafting URLs that are interpreted differently by the server than at signing time. This may result in expired URLs remaining valid or requests being routed to unintended destinations.

CVSS Base Scores

version 4.0
version 3.1