CVE-2025-49130: 
PHP vulnerability analysis and mitigation

Laravel Translation Manager, a package for managing Laravel translation files, was found to contain a Cross-Site Scripting (XSS) vulnerability (CVE-2025-49130) prior to version 0.6.8. The vulnerability was discovered by Positive Technologies researchers and disclosed on June 9, 2025. The issue affects all versions before 0.6.8 and impacts authenticated users with access to the translation manager interface (GitHub Advisory, Wiz).

The vulnerability stems from incorrect input validation and sanitization of user-input data in the translation manager interface. The issue specifically relates to improper sanitization of group and locale values, allowing authenticated users to inject arbitrary HTML code, including JavaScript scripts. The vulnerability was assigned a CVSS v4.0 score of 6.0 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N (GitHub Advisory).

When exploited, the vulnerability allows attackers to inject malicious JavaScript code that executes in the user's browser context. This can lead to theft of sensitive data, session hijacking, and other malicious activities. The impact is limited to authenticated users who have access to the translation manager (GitHub Advisory).

The vulnerability has been patched in version 0.6.8 of Laravel Translation Manager. The fix includes improved input sanitization for group and locale values, as implemented in pull request #475. Users are advised to update to version 0.6.8 or later (GitHub Release, GitHub PR).