Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Spatie Laravel Media Library before version 11.23.0 contains a server-side request forgery vulnerability that allows remote attackers to cause the server to issue arbitrary outbound HTTP requests by passing user-controlled URLs to the addMediaFromUrl() method in InteractsWithMedia.php.
AnalysisAI
Server-side request forgery in Spatie Laravel Medialibrary before 11.23.0 allows authenticated remote attackers to coerce the application server into issuing arbitrary outbound HTTP requests by supplying user-controlled URLs to the addMediaFromUrl() method in InteractsWithMedia.php. The flaw is reachable in any Laravel application that exposes addMediaFromUrl() to end-user input, and no public exploit identified at time of analysis, though the upstream patch and a VulnCheck advisory provide enough detail for trivial reproduction. With a CVSS of 7.4 and Scope:Changed, exploitation can pivot to internal services, cloud metadata endpoints, or other backend systems beyond the immediate Laravel host.
Technical ContextAI
Spatie Laravel Medialibrary is a widely deployed PHP package (cpe:2.3:a:spatie:laravel-medialibrary) that abstracts file uploads, conversions, and storage for Laravel applications. The addMediaFromUrl() helper in InteractsWithMedia.php fetches a remote resource over HTTP so it can be ingested as a media object; prior to 11.23.0 it did not validate the supplied URL's scheme, host, or resolved IP, which is the canonical CWE-918 (Server-Side Request Forgery) pattern. Because the request originates from the application server, attackers can reach RFC1918 ranges, link-local addresses (169.254.169.254 cloud metadata), localhost-bound admin interfaces, and other resources normally shielded by network segmentation.
RemediationAI
Vendor-released patch: upgrade Spatie Laravel Medialibrary to 11.23.0 or later via composer require "spatie/laravel-medialibrary:^11.23.0", referencing the release notes at https://github.com/spatie/laravel-medialibrary/releases/tag/11.23.0 and patch commit 608ea03. Where immediate upgrade is not feasible, audit application code for calls to addMediaFromUrl() that consume request input and wrap them with an allow-list of permitted hostnames or a URL validator that resolves the host and rejects RFC1918, loopback, and link-local addresses (note: naive blocklists are bypassable via DNS rebinding, so prefer post-resolution IP checks). As compensating network controls, force the application's egress through a proxy that blocks 169.254.169.254 and internal CIDRs, and on AWS enforce IMDSv2 to neutralise the most damaging SSRF outcome - be aware that IMDSv2 enforcement can break legacy SDKs and that egress proxies may interfere with legitimate webhook or remote-image features that Medialibrary itself relies on.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33418
GHSA-fggg-964j-3j7h