A security analysis by Yaniv Nizry from SonarSource has uncovered multiple critical vulnerabilities in the popular Voyager Laravel admin panel, including remote code execution (RCE), arbitrary file deletions, and cross-site scripting (XSS) flaws. Despite repeated attempts to notify Voyager’s maintainers, no fixes have been issued, prompting SonarSource to disclose the vulnerabilities under its 90-day responsible disclosure policy.

The most severe issue, CVE-2024-55417, involves a file upload vulnerability that allows attackers to upload malicious PHP web shells disguised as image or video files. This flaw enables server takeover and could lead to database modification or user credential theft.

Additional flaws include CVE-2024-55416, a reflected XSS vulnerability that lets attackers hijack admin sessions, and CVE-2024-55415, which allows arbitrary file deletions, potentially corrupting Laravel installations. These issues, affecting millions of downloads, leave many Laravel applications exposed, with no patches in sight. SonarSource urges caution for users considering Voyager for their applications.

‍