VDB

GCVE-110-OSM-2021-2

GCVE-110-OSM-2021-2
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published September 8, 2021
Malicious Laravel package containing backdoor for remote code execution. Backdoor embedded in QRCodeServiceProvider boot() method, automatically executed by Laravel framework. Laravel auto-calls boot() method of QRCodeServiceProvider class, enabling persistent backdoor. Remote command execution triggered via URL parameter ?run=[command] on any page of the infected site. Provides full web shell capabilities. Related to fr3on/neutron package by same author (Ahmed Mardi, Egyptian PHP developer).

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownlaraveli/qr-code* (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), All versions affected (affected), All versions affected (affected)
unknownall (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected), * (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected), * (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), * (affected), all (affected), * (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), * (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), all (affected), all (affected)

Browse GCVE Records

73,040 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›