CVE-2020-36950

MEDIUM

Laravel Nova 3.7.0 - Authenticated Denial of Service via Range Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-36950. PoCs published by iqzer0.

AI-analyzed exploit summary This is a technical writeup describing a DoS vulnerability in Laravel Nova 3.7.0, where an authenticated user can crash the application by manipulating the 'range' parameter in simultaneous requests. The vulnerability is triggered by setting a high value for the 'range' parameter in the metrics API endpoint.

Description

Laravel Nova 3.7.0 contains a denial of service vulnerability that allows authenticated users to crash the application by manipulating the 'range' parameter. Attackers can send simultaneous requests with an extremely high range value to overwhelm and crash the server.

Exploits (1)

exploitdb WRITEUP
by iqzer0 · textwebappsphp
https://www.exploit-db.com/exploits/49198

This is a technical writeup describing a DoS vulnerability in Laravel Nova 3.7.0, where an authenticated user can crash the application by manipulating the 'range' parameter in simultaneous requests. The vulnerability is triggered by setting a high value for the 'range' parameter in the metrics API endpoint.

Classification
Writeup 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Laravel Nova v3.7.0
Auth required
Prerequisites: Authenticated access to the Laravel Nova application
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/49198
Various Sources product
https://nova.laravel.com/
Various Sources patch
https://nova.laravel.com/releases
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/laravel-nova-range-dos

Scores

CVSS v3 6.5
EPSS 0.0032
EPSS Percentile 23.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-770
Status published
Products (1)
Laravel Holdings Inc./Laravel Nova 3.7.0
Published Jan 27, 2026
Tracked Since Feb 18, 2026