PT-2025-49169 · Unknown · Laradashboard
Published
2025-12-04
·
Updated
2026-03-11
·
CVE-2025-66509
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
LaraDashboard versions prior to 2.3.0
Description
LaraDashboard, an all-in-one solution for starting a Laravel Application, has an issue in the password reset flow where it trusts the Host header. This allows attackers to redirect an administrator’s reset token to a server they control. This can be combined with the module installation process, specifically the execution of the
ServiceProvider::boot() method, to achieve arbitrary PHP code execution.Recommendations
Update to version 2.3.0 or later.
Exploit
Fix
RCE
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Laradashboard