CVE-2025-54068 is a CVSS 9.8 unauthenticated RCE in Laravel Livewire versions prior to 3.6.4, rooted in insecure deserialization of component state. CISA has listed this on the KEV catalog with a remediation deadline of April 3, 2026, confirming active in-the-wild exploitation; the EPSS score places it in the 94.7th percentile for exploitation probability. All Laravel Livewire 3.x deployments below version 3.6.4 should be patched immediately, with WAF-level blocking of Livewire component endpoints as an interim control for environments that cannot patch immediately.