GSA_kwCzR0hTQS1qMjI2LTYzajctcXJxaM4ABIyH

Moderate CVSS: 6.0 EPSS: 0.00065% (0.20393 Percentile) EPSS:

Permalink JSON

Laravel Translation Manager Vulnerable to Stored Cross-site Scripting

Affected Packages	Affected Versions	Fixed Versions
packagist:barryvdh/laravel-translation-manager	< 0.6.8	0.6.8
17 Dependent packages 404 Dependent repositories 3,188,439 Downloads total Affected Version Ranges All affected versions 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.5.8, 0.5.9, 0.5.10, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7 All unaffected versions 0.6.8

Impact

The application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data. An attacker can inject arbitrary HTML code, including JavaScript scripts, into the page processed by the user's browser, allowing them to steal sensitive data, hijack user sessions, or conduct other malicious activities.

Patches

The issue is fixed in https://github.com/barryvdh/laravel-translation-manager/pull/475 which is released in version 0.6.8

Workarounds

Only authenticated users with access to the translation manager are impacted.

References

[PT-2025-04] laravel translation manager.pdf

Reported by

Positive Technologies (Artem Deikov, Ilya Tsaturov, Daniil Satyaev, Roman Cheremnykh, Artem Danilov, Stanislav Gleym)

References:

Identifiers

GHSA-j226-63j7-qrqh

CVE-2025-49130

Risk

Severity

Moderate

CVSS

CVSS Score: 6.0

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

EPSS

EPSS Percentage: 0.00065

EPSS Percentile: 0.20393

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/barryvdh/laravel-translation-manager

Date and time

Published

3 months ago

Updated

3 months ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories