CVE-2021-21263

Name: CVE-2021-21263
Creator: NVD / NIST
Published: 2021-01-19T20:15:13.3+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.3/10EPSS 1.60%

Last modified Jun 17, 2026

CVE-2021-21263 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. EPSS estimates a 1.60% chance of exploitation in the next 30 days.

Description

Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.

Metrics

CVSS 3.1

5.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Probability

1.60%

72.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Laravel	Laravel	>= 6.0.0, < 6.20.11
Laravel	Laravel	>= 7.0.0, < 7.30.2
Laravel	Laravel	>= 8.0.0, < 8.22.1

References

https://blog.laravel.com/security-laravel-62011-7302-8221-releasedVendor Advisory
https://github.com/laravel/framework/pull/35865Patch, Third Party Advisory
https://github.com/laravel/framework/security/advisories/GHSA-3p32-j457-pg5xThird Party Advisory
https://packagist.org/packages/illuminate/databaseProduct, Third Party Advisory
https://packagist.org/packages/laravel/frameworkProduct, Third Party Advisory
https://blog.laravel.com/security-laravel-62011-7302-8221-releasedVendor Advisory
https://github.com/laravel/framework/pull/35865Patch, Third Party Advisory
https://github.com/laravel/framework/security/advisories/GHSA-3p32-j457-pg5xThird Party Advisory
https://packagist.org/packages/illuminate/databaseProduct, Third Party Advisory
https://packagist.org/packages/laravel/frameworkProduct, Third Party Advisory

Timeline

Published: Jan 19, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-21263?

How severe is CVE-2021-21263?

CVE-2021-21263 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 1.60% probability of exploitation in the next 30 days.

How do I fix CVE-2021-21263?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-21263?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST