Vulnerability Report

CVE-2018-15133

RCE CISA KEV Active

Title: Laravel RCE

RCE

Proof Of Concept

PoC Available for CVE-2018-15133

CWE Category CWE-502

Published Date Aug 09, 2018

Modified Date Nov 07, 2025

Exploit Status Available

Score 8.1 CVSS v3.1

Exploit Probability (EPSS)

84.45%

Vulnerability Summary

CVE-2018-15133: In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.

Impacted Vendors

laravel 1

Reference Links

http://packetstormsecurity.com/files/153641/PHP-Laravel-Framework-Token-Unserialize-Remote-Command-Execution.html https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30 http://packetstormsecurity.com/files/153641/PHP-Laravel-Framework-Token-Unserialize-Remote-Command-Execution.html https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-15133

CVSS v3.1

Source Entity [email protected]

Severity HIGH

8.1

Attack Vector

NETWORK

Complexity

HIGH

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v3.1

Source Entity 134c704f-9b21-4f2e-91b3-4a467353bcc0

Severity HIGH

8.1

Attack Vector

NETWORK

Complexity

HIGH

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

Source Entity [email protected]

Severity MEDIUM

6.8

Access Vector

N/A

Authentication

N/A

RAW VECTOR AV:N/AC:M/Au:N/C:P/I:P/A:P

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2018-15133 Exploits & PoCs (Proof Of Concept)

Exploit-DB https://www.exploit-db.com/exploits/47129

View Code

November 07, 2025 MODIFIED

Vulnerability data or affected products updated.

August 09, 2018 PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector NETWORK

Complexity HIGH

Privileges N/A

Interaction NONE

CVSS Vector String


                                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Stack

No specific products linked.