VDB
GCVE-110-OSM-2021-2
GCVE-110-OSM-2021-2
Advisory PublishedCVSS 9.6/10
Malicious Laravel package containing backdoor for remote code execution. Backdoor embedded in QRCodeServiceProvider boot() method, automatically executed by Laravel framework.
Laravel auto-calls boot() method of QRCodeServiceProvider class, enabling persistent backdoor. Remote command execution triggered via URL parameter ?run=[command] on any page of the infected site. Provides full web shell capabilities. Related to fr3on/neutron package by same author (Ahmed Mardi, Egyptian PHP developer).
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | laraveli/qr-code | * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), * (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), All versions affected (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), All versions affected (affected), All versions affected (affected) | — |
| unknown | all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected), * (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected), * (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), * (affected), all (affected), * (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), * (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), * (affected), all (affected), all (affected) | — |
References
Malicious package:
advisory
Browse GCVE Records
73,040 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.