CVE-2024-13918

The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page.

Published: Mar 10, 2025
Updated: Aug 11, 2025
CVE: CVE-2024-13918
GHSA: GHSA-546h-56qp-8jmw
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
laravel / framework	11.9.0	11.36.0

http://www.openwall.com/lists/oss-security/2025/03/10/3
https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2024-13918.yaml
https://github.com/laravel/framework/commit/45287fb2a91c69bb1c110539b9b7341faf5aee33
https://github.com/laravel/framework/pull/53869
https://github.com/laravel/framework/releases/tag/v11.36.0
https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20241209-01_Laravel_Reflected_XSS_via_Request_Parameter_in_Debug-Mode_Error_Page

Vulnerability Database

CVE-2024-13918