<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-53932 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-53932/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 21:12:20 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-53932/feed.xml" rel="self" type="application/rss+xml"/><item><title>Laravel-Backup-Restore OS Command Injection (CVE-2026-53932)</title><link>https://feed.craftedsignal.io/briefs/2026-07-laravel-backup-restore-rce/</link><pubDate>Thu, 09 Jul 2026 21:12:20 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-laravel-backup-restore-rce/</guid><description>A critical OS command injection vulnerability, tracked as CVE-2026-53932, exists in the wnx/laravel-backup-restore package (versions &lt;= 1.9.3), allowing an attacker to execute arbitrary shell commands on the hosting system by crafting a malicious backup archive with shell metacharacters in a database dump filename, leading to application compromise, data tampering, and potential lateral movement.</description><content:encoded><![CDATA[<p>A significant OS command injection vulnerability, identified as CVE-2026-53932, affects the <code>wnx/laravel-backup-restore</code> package in versions prior to 1.9.4. This flaw allows an attacker to achieve arbitrary command execution on systems performing database restores. The vulnerability arises because the package improperly handles filenames within backup archives. When a specially crafted ZIP archive containing shell metacharacters in a database dump filename under the <code>db-dumps</code> directory is restored, the <code>laravel-backup-restore</code> package interpolates these unescaped filenames directly into database import commands. This execution occurs via Symfony's <code>Process::fromShellCommandline()</code>, which causes the shell metacharacters to be interpreted by <code>/bin/sh</code> on Unix-like systems or the platform shell on Windows. Successful exploitation can lead to full compromise of the application and the underlying server, operating with the privileges of the PHP/Laravel application user. This issue is not related to malicious SQL content but rather the structure of the backup archive's filenames.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious backup archive (e.g., a ZIP file) containing a <code>db-dumps</code> directory.</li>
<li>Inside the <code>db-dumps</code> directory, the attacker includes a database dump file with a filename that contains shell metacharacters (e.g., <code>dump.sql; cat /etc/passwd &gt; /tmp/pwned.txt</code>).</li>
<li>The malicious backup archive is introduced to the target system, potentially through a compromised source, malicious upload, or direct access.</li>
<li>An operator or automated process on the target system initiates a database restore operation using the vulnerable <code>laravel-backup-restore</code> package.</li>
<li>During the restore, the package extracts the ZIP archive and identifies the database dump file within the <code>db-dumps</code> directory.</li>
<li>The <code>laravel-backup-restore</code> package constructs a shell command (e.g., <code>mysql ... &lt; {dumpFile}</code>) for database import, interpolating the unescaped malicious filename directly into the command string.</li>
<li>The underlying Symfony <code>Process::fromShellCommandline()</code> executes the constructed command via <code>/bin/sh</code> or the platform shell, interpreting the shell metacharacters and executing the attacker's injected arbitrary commands (e.g., <code>cat /etc/passwd</code>).</li>
<li>The attacker's commands are executed on the server, leading to application compromise, data exfiltration, or further post-exploitation activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-53932 allows an attacker to execute arbitrary shell commands as the PHP/Laravel application user on the system performing the database restore. This can lead to a severe compromise of the affected application and the underlying server. Consequences include unauthorized access to sensitive data, such as database credentials and application secrets, complete data tampering or destruction, and the installation of backdoors for persistent access. Depending on the permissions of the PHP user, attackers could achieve lateral movement within the network or elevate privileges, turning a simple restore operation into a full system compromise. The severity of the impact is high given the potential for complete control over the compromised server.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade <code>wnx/laravel-backup-restore</code> to version 1.9.4 or higher to patch CVE-2026-53932.</li>
<li>Deploy the Sigma rules titled &quot;Detect CVE-2026-53932 Exploitation - PHP Process Spawning Suspicious Commands (Windows)&quot; and &quot;Detect CVE-2026-53932 Exploitation - PHP Process Spawning Suspicious Commands (Linux)&quot; to your SIEM solution.</li>
<li>Ensure process creation logging is enabled for <code>php</code> and its child processes on all Windows and Linux servers running Laravel applications.</li>
<li>Review existing automated backup restore workflows and any manual restore procedures to minimize exposure to untrusted backup archives.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>os-command-injection</category><category>laravel</category><category>php</category><category>vulnerability</category><category>cve-2026-53932</category></item></channel></rss>