CVE-2025-26159 – nasirkhan/laravel-starter

Package

Manager: composer
Name: nasirkhan/laravel-starter
Vulnerable Version: >=0 <11.11.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00053 pctl0.16381

Details

Laravel Starter Cross Site Scripting (XSS) Laravel Starter 11.11.0 is vulnerable to Cross Site Scripting (XSS) in the tags feature. Any user with the ability of create or modify tags can inject malicious JavaScript code in the name field.

Metadata

Created: 2025-04-22T21:30:44Z
Modified: 2025-04-22T22:16:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-fpx3-h2pc-88vf/GHSA-fpx3-h2pc-88vf.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-fpx3-h2pc-88vf
Finding: F425
Auto approve: 1