CVE-2021-21263
CVE-2021-21263 is a high-severity vulnerability in Laravel with a CVSS 3.x base score of 7.2. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-89.
Key facts
- Severity: High (CVSS 3.x base score 7.2)
- CVSS v2: 5.0
- EPSS exploit prediction: 2% (73rd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-89
- Affected product: Laravel
- Published:
- Last modified:
Description
Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.
Frequently asked questions
- What is CVE-2021-21263?
- Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.
- How severe is CVE-2021-21263?
- CVE-2021-21263 has a CVSS 3.x base score of 7.2, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability none.
- Is CVE-2021-21263 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (73rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-21263?
- CVE-2021-21263 affects Laravel. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2021-21263?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2021-21263 published?
- CVE-2021-21263 was published on 2021-01-19 and last updated on 2026-06-17.
References
- https://blog.laravel.com/security-laravel-62011-7302-8221-released
- https://github.com/laravel/framework/pull/35865
- https://github.com/laravel/framework/security/advisories/GHSA-3p32-j457-pg5x
- https://packagist.org/packages/illuminate/database
- https://packagist.org/packages/laravel/framework
Affected products (1)
- cpe:2.3:a:laravel:laravel:*:*:*:*:*:*:*:*
More vulnerabilities in Laravel
- CVE-2021-28254 — Critical (CVSS 9.8): A deserialization vulnerability in the destruct() function of Laravel v8.5.9 allows attackers to execute arbitrary…
- CVE-2018-15133 — High (CVSS 8.1): In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an…
- CVE-2020-24941 — High (CVSS 7.5): An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $guarded property is mishandled in some…
- CVE-2020-24940 — High (CVSS 7.5): An issue was discovered in Laravel before 6.18.34 and 7.x before 7.23.2. Unvalidated values are saved to the database…
- CVE-2017-16894 — High (CVSS 7.5): In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable…
- CVE-2017-9303 — Medium (CVSS 6.1): Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a password-reset URL, which makes it easier…
Other CWE-89 (SQL Injection) vulnerabilities
- CVE-2026-54350 — Critical (CVSS 10.0): Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase…
- CVE-2026-8054 — Critical (CVSS 10.0): Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints…
- CVE-2026-42287 — Critical (CVSS 10.0): Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and…
- CVE-2026-3325 — Critical (CVSS 10.0): SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the…
- CVE-2025-10878 — Critical (CVSS 10.0): A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26.…
- CVE-2025-57792 — Critical (CVSS 10.0): Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of…