CVE-2025-26159

MEDIUM

Nasirkhan Laravel-starter < 11.11.0 - XSS

Title source: rule

Description

Laravel Starter 11.11.0 is vulnerable to Cross Site Scripting (XSS) in the tags feature. Any user with the ability of create or modify tags can inject malicious JavaScript code in the name field.

Exploits (1)

nomisec WORKING POC

by godBADTRY · poc

https://github.com/godBADTRY/CVE-2025-26159

View Code ZIP pw:eip

References (2)

[Various Sources] https://github.com/nasirkhan/laravel-starter

[Various Sources] https://godbadtry.github.io/posts/CVE-2025-26159/

Scores

CVSS v3 6.1

EPSS 0.0018

EPSS Percentile 39.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

nasirkhan/laravel-starter 0 - 11.11.0Packagist

Published Apr 22, 2025

Tracked Since Feb 18, 2026