GHSA-w9mx-xmg4-gc4r: laravel-backup-restore has an OS Command Injection during database restore
A command injection vulnerability exists in the wnx/laravel-backup-restore package before version 1.9.4. During database restore, the package extracts a ZIP archive and uses filenames from the db-dumps directory directly in shell commands without proper escaping. This allows an attacker who can supply a crafted backup archive to execute arbitrary shell commands as the application user on the system performing the restore. The vulnerability is fixed in version 1.9.4, and upgrading is the only complete remediation.
AI Analysis
Technical Summary
The wnx/laravel-backup-restore package versions prior to 1.9.4 contain an OS command injection vulnerability triggered during database restore. The restore process extracts a ZIP archive and enumerates files under the db-dumps directory. Filenames are converted to absolute paths and interpolated directly into shell command strings for database import commands (e.g., mysql, psql, sqlite3) without shell escaping. Because the underlying process execution uses Symfony's Process::fromShellCommandline(), shell metacharacters in filenames are interpreted by the system shell, enabling command injection. This vulnerability allows arbitrary command execution as the PHP/Laravel application user if a malicious backup archive is restored.
Potential Impact
An attacker able to cause a malicious backup archive to be restored can execute arbitrary shell commands on the host system with the privileges of the PHP/Laravel application user. This can lead to full application compromise, disclosure of database credentials, tampering with restored data, and potential lateral movement within the environment depending on deployment permissions.
Mitigation Recommendations
A patch fixing this vulnerability is available in version 1.9.4 of wnx/laravel-backup-restore. Upgrading to version 1.9.4 or later is the only complete fix. There are no configuration options or workarounds to disable the vulnerable code path, so upgrading is strongly recommended.
GHSA-w9mx-xmg4-gc4r: laravel-backup-restore has an OS Command Injection during database restore
Description
A command injection vulnerability exists in the wnx/laravel-backup-restore package before version 1.9.4. During database restore, the package extracts a ZIP archive and uses filenames from the db-dumps directory directly in shell commands without proper escaping. This allows an attacker who can supply a crafted backup archive to execute arbitrary shell commands as the application user on the system performing the restore. The vulnerability is fixed in version 1.9.4, and upgrading is the only complete remediation.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The wnx/laravel-backup-restore package versions prior to 1.9.4 contain an OS command injection vulnerability triggered during database restore. The restore process extracts a ZIP archive and enumerates files under the db-dumps directory. Filenames are converted to absolute paths and interpolated directly into shell command strings for database import commands (e.g., mysql, psql, sqlite3) without shell escaping. Because the underlying process execution uses Symfony's Process::fromShellCommandline(), shell metacharacters in filenames are interpreted by the system shell, enabling command injection. This vulnerability allows arbitrary command execution as the PHP/Laravel application user if a malicious backup archive is restored.
Potential Impact
An attacker able to cause a malicious backup archive to be restored can execute arbitrary shell commands on the host system with the privileges of the PHP/Laravel application user. This can lead to full application compromise, disclosure of database credentials, tampering with restored data, and potential lateral movement within the environment depending on deployment permissions.
Mitigation Recommendations
A patch fixing this vulnerability is available in version 1.9.4 of wnx/laravel-backup-restore. Upgrading to version 1.9.4 or later is the only complete fix. There are no configuration options or workarounds to disable the vulnerable code path, so upgrading is strongly recommended.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-w9mx-xmg4-gc4r
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-53932"]
- Ecosystems
- ["Packagist"]
- Database Specific Severity
- HIGH
- Cvss Version
- 3.1
Threat ID: 6a50ba7668715ace435803f6
Added to database: 07/10/2026, 09:25:10 UTC
Last enriched: 07/10/2026, 09:58:46 UTC
Last updated: 07/10/2026, 09:58:46 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.