Unpatched bug in Livewire, a popular file manager for Laravel apps

CERT/CC Vulnerability Note VU#650657

A vulnerability, tracked as CVE-2025-14894, has been discovered within Livewire Filemanager, a tool designed for usage within Laravel applications. The Livewire Filemanager tool allows for users to upload various files, including PHP files, and host them within the Laravel application. When a user uploads a PHP file to the application, it can be accessed and executed by visiting the web-accessible file hosting directory. This enables an attacker to create a malicious PHP file, upload it to the application, then force the application to execute it, enabling unauthenticated arbitrary code execution on the host device.