Theethat-Thamwasin/CVE-2025-63307

Releases0

Stars1

An authenticated Stored Cross-site Scripting (XSS) vulnerability in laravel-file-manager v3.3.1 and below allows attackers with access to the file manager interface to inject and persist arbitrary JavaScript code in uploaded or created files.

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2025-63307 ↗	Nov 6, 2025Thursday, 6 November 2025, 16:16	8.1 HIGH	—
alexusmai laravel-file-manager 3.3.1 is vulnerable to Cross Site Scripting (XSS). The application permits user-controlled upload, create, and rename of files to HTML and SVG types and serves those files inline without adequate content-type validation or output sanitization.