What Happened
CISA added five actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog in late March 2026, setting April 3, 2026 as the remediation deadline for Federal Civilian Executive Branch agencies. Two of the additions directly affect widely deployed open-source web application frameworks used across enterprise and government environments globally.
CVE-2025-54068 is a code injection vulnerability in Laravel Livewire, the component-based front-end framework for building dynamic web interfaces within Laravel PHP applications. The flaw carries a CVSS score of 9.8. In specific deployment configurations, unauthenticated remote attackers achieve arbitrary code execution on the underlying web server by submitting a malformed payload through the Livewire request handler. Successful exploitation gives the attacker full control of the server process.
CVE-2025-32432 is a code injection vulnerability in Craft CMS, a content management system used to build enterprise websites, digital publishing platforms, and e-commerce properties. The flaw allows a remote attacker to inject and execute arbitrary code through the application layer without requiring administrative access in affected configurations.
Both vulnerabilities carry confirmed in-the-wild exploitation histories. CISA’s KEV addition signals active attack campaigns targeting organizations running these frameworks on unpatched versions.
Why This Matters for Canadian Organizations
Laravel is one of the most widely adopted PHP frameworks in Canada and globally. Canadian web development agencies, software firms, financial services portals, healthcare patient-facing applications, and government digital services run Laravel and Laravel Livewire-based applications across public-facing and internal systems.
CVE-2025-54068 with a CVSS score of 9.8 and unauthenticated RCE capability is the highest-severity class of web application vulnerability. An attacker who exploits this flaw against an internet-accessible Laravel Livewire application gains full control of the web server, with direct access to databases, session data, file systems, and connected backend services. Any personal data of Canadians stored in or accessible from a compromised Laravel application immediately becomes subject to PIPEDA breach notification obligations.
Craft CMS is used by a significant number of Canadian digital agencies, media organizations, and enterprise marketing and content teams. A code injection flaw at the CMS layer jeopardizes both the web application’s data and the server infrastructure hosting it, with the same risk profile for downstream data exposure.
Organizations running either framework should treat this CISA KEV addition as a direct actionable alert, not a US-government-only concern. KEV additions represent the confirmed floor of exploitation activity, not its ceiling.
What to Do
Update Laravel Livewire to the patched version addressing CVE-2025-54068. Review the official Laravel Livewire security advisories and release notes to confirm the minimum patched version for your deployment series.
Apply the Craft CMS patch addressing CVE-2025-32432 immediately and verify the update installed correctly against the released patch notes.
Audit web server access logs for POST request patterns consistent with code injection exploitation: unusual payload structures, unexpected server-side errors in application logs, or responses indicating template or code evaluation. Run dependency scanning against your Laravel project to identify any additional unpatched packages in your stack.
If exploitation is confirmed or suspected, assess whether personal data of Canadians was accessible from the compromised system and evaluate PIPEDA notification obligations. Organizations with evidence of web application compromise should report indicators to the Canadian Centre for Cyber Security at contact@cyber.gc.ca.
Source: The Hacker News | CISA KEV Catalog
