Skip to main content

Laravel Medialibrary CVE-2026-48555

| EUVDEUVD-2026-33418 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-29 VulnCheck GHSA-fggg-964j-3j7h
5.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
May 29, 2026 - 20:22 NVD
HIGH MEDIUM
CVSS changed
May 29, 2026 - 20:22 NVD
7.4 (HIGH) 5.3 (MEDIUM)
Source Code Evidence Fetched
May 29, 2026 - 19:45 vuln.today
Analysis Generated
May 29, 2026 - 19:45 vuln.today

DescriptionCVE.org

Spatie Laravel Media Library before version 11.23.0 contains a server-side request forgery vulnerability that allows remote attackers to cause the server to issue arbitrary outbound HTTP requests by passing user-controlled URLs to the addMediaFromUrl() method in InteractsWithMedia.php.

AnalysisAI

Server-side request forgery in Spatie Laravel Medialibrary before 11.23.0 allows authenticated remote attackers to coerce the application server into issuing arbitrary outbound HTTP requests by supplying user-controlled URLs to the addMediaFromUrl() method in InteractsWithMedia.php. The flaw is reachable in any Laravel application that exposes addMediaFromUrl() to end-user input, and no public exploit identified at time of analysis, though the upstream patch and a VulnCheck advisory provide enough detail for trivial reproduction. With a CVSS of 7.4 and Scope:Changed, exploitation can pivot to internal services, cloud metadata endpoints, or other backend systems beyond the immediate Laravel host.

Technical ContextAI

Spatie Laravel Medialibrary is a widely deployed PHP package (cpe:2.3:a:spatie:laravel-medialibrary) that abstracts file uploads, conversions, and storage for Laravel applications. The addMediaFromUrl() helper in InteractsWithMedia.php fetches a remote resource over HTTP so it can be ingested as a media object; prior to 11.23.0 it did not validate the supplied URL's scheme, host, or resolved IP, which is the canonical CWE-918 (Server-Side Request Forgery) pattern. Because the request originates from the application server, attackers can reach RFC1918 ranges, link-local addresses (169.254.169.254 cloud metadata), localhost-bound admin interfaces, and other resources normally shielded by network segmentation.

RemediationAI

Vendor-released patch: upgrade Spatie Laravel Medialibrary to 11.23.0 or later via composer require "spatie/laravel-medialibrary:^11.23.0", referencing the release notes at https://github.com/spatie/laravel-medialibrary/releases/tag/11.23.0 and patch commit 608ea03. Where immediate upgrade is not feasible, audit application code for calls to addMediaFromUrl() that consume request input and wrap them with an allow-list of permitted hostnames or a URL validator that resolves the host and rejects RFC1918, loopback, and link-local addresses (note: naive blocklists are bypassable via DNS rebinding, so prefer post-resolution IP checks). As compensating network controls, force the application's egress through a proxy that blocks 169.254.169.254 and internal CIDRs, and on AWS enforce IMDSv2 to neutralise the most damaging SSRF outcome - be aware that IMDSv2 enforcement can break legacy SDKs and that egress proxies may interfere with legitimate webhook or remote-image features that Medialibrary itself relies on.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-48555 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy