PT-2026-57042 · Packagist · Wnx/Laravel-Backup-Restore

Publicado

2026-07-09

·

Atualizado

2026-07-09

·

CVE-2026-53932

CVSS v3.1

8.0

Alta

VetorAV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Summary

A crafted backup archive can trigger OS command injection during database restore. The restore workflow extracts a ZIP archive, enumerates files under db-dumps, converts the dump path to an absolute path, and passes that path into database import commands that are built as shell command strings.
The dump filename is not shell-escaped before it is interpolated into commands such as:
  • mysql ... < {dumpFile}
  • gunzip -c {dumpFile} / gunzip < {dumpFile}
  • psql ... < {dumpFile}
  • sqlite3 ... < {dumpFile}
Because IlluminateSupportFacadesProcess::run(string) uses Symfony Process::fromShellCommandline(), shell metacharacters in the dump filename are interpreted by /bin/sh on Unix-like systems or by the platform shell on Windows.

Impact

If an attacker can cause an operator or automation to restore a malicious backup archive, the attacker can execute arbitrary shell commands as the PHP/Laravel application user on the system performing the restore. This can lead to application compromise, database credential disclosure, tampering with restored data, and further lateral movement depending on deployment permissions.
This is not about malicious SQL inside the dump. The command injection is carried in the ZIP entry filename under db-dumps, before the dump content is imported.

Patches

The vulnerability has been fixed in v1.9.4 of the package.

Workarounds

There is no configuration option that disables the vulnerable code path. Upgrading to the patched release is the only complete fix.

Correção

Command Injection

OS Command Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-53932
GHSA-W9MX-XMG4-GC4R

Produtos afetados

Wnx/Laravel-Backup-Restore