CVE-2026-33686

Description

### Summary A path traversal vulnerability exists in the FileUtil class of the code16/sharp package. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer. ### Detail In `src/Utils/FileUtil.php`, the `FileUtil::explodeExtension()` function extracts a file's extension by splitting the filename at the last dot. However, the extracted extension is never sanitized. While the application uses a `normalizeName()` function, this function only cleans the base filename, meaning any path separators (such as /) injected into the extension will survive and be passed into the `storeAs()` function. ### Impact Exploiting this flaw allows an authenticated attacker to manipulate file paths: - Files can be written outside of the intended tmp directory via path traversal. For more details on the package, visit: https://github.com/code16/sharp - Existing critical files (such as .env or configuration files) could potentially be overwritten. Review the CWE definition here: https://cwe.mitre.org/data/definitions/22.html (Note: This vulnerability was successfully chained with CWE-434 in a local Proof of Concept to confirm the traversal.) ### Patches This issue has been patched by properly sanitizing the extension using `pathinfo(PATHINFO_EXTENSION)` instead of `strrpos()`, alongside applying strict regex replacements to both the base name and the extension. The fix is available in pull request #715 ### Credits Reported by [zaurgsynv](https://github.com/zaurgsynv).

Priority Score