Summary A crafted backup archive can trigger OS command injection during database restore. The restore workflow extracts a ZIP archive, enumerates files under db-dumps, converts the dump path to an absolute path, and pa…
| CVE ID | CVE-2026-53932 |
| Vendor | composer |
| Affected Product | wnx/laravel-backup-restore |
| Vulnerability Type | Vulnerability |
| CVSS Score | 8.0 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
gunzip -c {dumpFile} / gunzip < {dumpFile}psql ... < {dumpFile}sqlite3 ... < {dumpFile} Because Illuminate\Support\Facades\Process::run(string) uses Symfony Process::fromShellCommandline(), shell metacharacters in the dump filename are interpreted by /bin/sh on Unix-like systems or by the platform shell on Windows.A crafted backup archive can trigger OS command injection during database restore. The restore workflow extracts a ZIP archive, enumerates files under db-dumps, converts the dump path to an absolute path, and passes that path into database import commands that are built as shell command strings. The dump filename is not shell-escaped before it is interpolated into commands such as: - mysql ... < {dumpFile}
If an attacker can cause
Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.