216.73.216.233

CVE-2025-54068

· Published 17/07/2025 21:15 · Modified 27/03/2026 00:58 · Author: The MITRE Corporation

Labels: CVE-2025-54068 2025-07-17CVE-2025-54068CWE-94[email protected]

Essential information

Published
17/07/2025 21:15
Modified
27/03/2026 00:58
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
9.8 CRITICAL (v3.1) 9.2 CRITICAL (v4.0)
CISA KEV
Yes
CWE
CWE-94
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction. This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible. No known workarounds are available.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
laravel / livewire cpe:2.3:a:laravel:livewire:3.0.0-3.6.3:*:*:*:*:*:*:*
laravel / livewire cpe:2.3:a:laravel:livewire:3.6.4:*:*:*:*:*:*:*

References

Related entities

Attack reports, intrusion sets, malwares, attack patterns and indicators linked to this vulnerability.

Attack reports (2)