CVE-2025-26159: XSS
First published: Tue Apr 22 2025(Updated: )
Laravel Starter 11.11.0 is vulnerable to Cross Site Scripting (XSS) in the tags feature. Any user with the ability of create or modify tags can inject malicious JavaScript code in the name field.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Laravel Starter | ||
| composer/nasirkhan/laravel-starter | <11.11.0 | 11.11.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-26159?
CVE-2025-26159 is classified as a medium severity Cross Site Scripting (XSS) vulnerability.
How do I fix CVE-2025-26159?
To fix CVE-2025-26159, upgrade Laravel Starter to a version higher than 11.11.0.
Who is affected by CVE-2025-26159?
Any user of Laravel Starter 11.11.0 with the ability to create or modify tags is affected by CVE-2025-26159.
What impact does CVE-2025-26159 have?
CVE-2025-26159 allows attackers to inject malicious JavaScript code, potentially leading to unauthorized actions or information theft.
Is CVE-2025-26159 a coding issue?
Yes, CVE-2025-26159 is caused by improper input validation in the tags feature of Laravel Starter.
- agent/first-publish-date
- agent/description
- agent/type
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/author
- agent/source
- agent/severity
- agent/references
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-fpx3-h2pc-88vf
- alias/CVE-2025-26159
- agent/softwarecombine
- agent/event
- agent/tags
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- agent/weakness
- collector/nvd-cve
- collector/github-advisory
- vendor/laravel
- canonical/laravel starter
- package-manager/composer