CVE-2024-55416: 
PHP vulnerability analysis and mitigation

DevDojo Voyager through version 1.8.0 contains a reflected Cross-Site Scripting (XSS) vulnerability in the /admin/compass endpoint. The vulnerability was discovered in January 2025 and affects the Laravel admin package that has over 11,800 stars on GitHub and millions of downloads (Bleeping Computer, Hacker News).

The vulnerability exists in the /admin/compass endpoint where user input is improperly sanitized, allowing attackers to inject JavaScript into popup messages. When an authenticated admin clicks on a malicious link, the script executes in their browser. The vulnerability received a CVSS v3.1 Base Score of 3.5 (LOW) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N (NVD).

When exploited, the vulnerability allows attackers to perform actions on behalf of authenticated administrators, potentially escalating to remote code execution. The vulnerability becomes particularly dangerous when chained with other vulnerabilities in the system, enabling attackers to execute arbitrary code on the server when a privileged user clicks on a malicious link (Sonar Source).

At the time of disclosure, no official patches are available for this vulnerability. Users are advised to restrict access to trusted users only, implement strict role-based access control (RBAC), and consider avoiding the use of Voyager in production environments until official patches are released (Bleeping Computer).

The vulnerability was initially discovered by SonarSource researchers who attempted to report it to Voyager maintainers multiple times since September 11, 2024. After receiving no response within the 90-day disclosure window, the researchers publicly disclosed the vulnerability to protect users (Sonar Source).