{"id":"CVE-2024-13918","details":"The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page.","aliases":["GHSA-546h-56qp-8jmw"],"modified":"2026-04-10T05:07:46.500335Z","published":"2025-03-10T10:15:10.280Z","references":[{"type":"ADVISORY","url":"https://github.com/laravel/framework/releases/tag/v11.36.0"},{"type":"FIX","url":"https://github.com/laravel/framework/pull/53869"},{"type":"EVIDENCE","url":"https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20241209-01_Laravel_Reflected_XSS_via_Request_Parameter_in_Debug-Mode_Error_Page"},{"type":"EVIDENCE","url":"http://www.openwall.com/lists/oss-security/2025/03/10/3"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/laravel/framework","events":[{"introduced":"2fd3a257bbccfbdceb1ccc55361c001561a53f84"},{"fixed":"153254cac5210eba8e14709f5eb7450e73fa690e"}],"database_specific":{"versions":[{"introduced":"11.9.0"},{"fixed":"11.36.0"}]}}],"versions":["v11.10.0","v11.11.0","v11.11.1","v11.12.0","v11.13.0","v11.14.0","v11.15.0","v11.16.0","v11.17.0","v11.18.0","v11.18.1","v11.19.0","v11.20.0","v11.21.0","v11.22.0","v11.23.0","v11.23.1","v11.23.2","v11.23.3","v11.23.4","v11.24.0","v11.24.1","v11.25.0","v11.26.0","v11.27.0","v11.27.1","v11.27.2","v11.28.0","v11.28.1","v11.29.0","v11.30.0","v11.31.0","v11.32.0","v11.33.0","v11.33.1","v11.33.2","v11.34.0","v11.34.1","v11.34.2","v11.35.0","v11.35.1","v11.9.0","v11.9.1","v11.9.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-13918.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}