Report an incident
Report an incident

Vulnerability in Laragon software
29 February 2024 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2024-0864
Publication date 29 February 2024
Vendor Leo Khoa
Product Laragon
Vulnerable versions All
Vulnerability type (CWE) Improper Input Validation (CWE-20)
Report source Own research


During its own research, CERT Polska has found a vulnerability in Laragon open source project.

Enabling Simple Ajax Uploader plugin included in this software allows for a remote code execution (RCE) attack, which is feasible because file_upload.php lacks a mechanism which would validate files being uploaded. The vulnerability does not directly originate from the plugin source code, but from the example file_upload.php file using it. By default, Laragon is not vulnerable until a user decides to use the aforementioned plugin.

The vulnerability has been assigned the ID CVE-2024-0864 and possibly affects all versions of the software (including the latest 6.0.0). Due to difficulties in reaching out to the vendor it is unknown when (and if) the patch will be released.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at