A significant security vulnerability has been discovered in Livewire Filemanager, a widely used file management component embedded in Laravel web applications.
Tracked as CVE-2025-14894 and assigned vulnerability note VU#650657, the flaw enables unauthenticated attackers to execute arbitrary code on vulnerable servers.
The vulnerability stems from improper file validation in the LivewireFilemanagerComponent.php component.
The tool fails to enforce adequate file type and MIME validation, allowing attackers to upload malicious PHP files directly through the web interface.
| CVE ID | Tracking ID | Publication Date | Severity |
|---|---|---|---|
| CVE-2025-14894 | VU#650657 | January 16, 2026 | High |
Once uploaded, these files can be executed via the publicly accessible /storage/ directory, provided the php artisan storage: link command has been executed during the standard Laravel setup process.
The vendor deliberately marks file-type validation as out of scope in their security documentation, placing the responsibility for validation on developers.
However, the critical issue lies in the tool’s architecture, which directly exposes uploaded files to execution without additional safeguards.
Successful exploitation grants attackers remote code execution (RCE) with the privileges of the web server user.
This enables comprehensive system compromise, including unrestricted file read and write access to all files accessible by the web server process. Attackers can then pivot to compromise connected systems and infrastructure.
The attack requires no authentication and can be executed remotely by simply uploading a PHP webshell to the application through Livewire Filemanager’s upload interface, then triggering execution by accessing the file via the storage URL.
Affected Platforms and Status
At the time of disclosure, vendors have not acknowledged the vulnerability.
| Entity | Status |
|---|---|
| Bee Interactive | Unknown |
| Laravel | Unknown |
| Laravel Swiss | Unknown |
CERT/CC recommends immediate protective measures, including verifying whether php artisan storage: link has been executed and, if confirmed, removing web serving capability.
Organizations using Livewire Filemanager should immediately implement file upload restrictions at the application level, independent of Livewire’s functionality.
Consider implementing strict allowlist policies that limit uploads to safe file types and apply comprehensive MIME type validation.
Storing uploaded files outside the web-accessible directory. Turn off the public storage link if web serving is unnecessary for operations.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
