Description
Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/CarbonPHP/carbon/security/advisories/GHSA-j3f9-p6hm-5w6q
Scores
CVSS v4
6.3
EPSS
0.0070
EPSS Percentile
48.1%
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-98
Status
published
Products (3)
CarbonPHP/carbon
< 2.72.6
CarbonPHP/carbon
>= 3.0.0, < 3.8.4
nesbot/carbon
3.0.0 - 3.8.4Packagist
Published
Jan 08, 2025
Tracked Since
Feb 18, 2026