Skip to main content

Spatie Laravel Media Library CVE-2026-48557

| EUVDEUVD-2026-33439 HIGH
Incomplete List of Disallowed Inputs (CWE-184)
2026-05-29 VulnCheck GHSA-3ggm-c5m7-hfv5
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
May 29, 2026 - 20:33 vuln.today
Analysis Generated
May 29, 2026 - 20:33 vuln.today
CVSS changed
May 29, 2026 - 20:22 NVD
8.8 (HIGH) 8.7 (HIGH)
CVE Published
May 29, 2026 - 19:49 nvd
HIGH 8.7

DescriptionCVE.org

Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer(). The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo() preserving inner .php stems in saved filenames. The blocklist also omits executable extensions including .php6, .shtml, and .htaccess. The double-extension bypass requires a legacy Apache AddHandler configuration to achieve PHP execution; the incomplete blocklist bypass does not.

AnalysisAI

File upload restriction bypass in Spatie Laravel Media Library prior to 11.23.0 allows authenticated remote attackers to upload files with double extensions (e.g., shell.php.jpg) or executable extensions missing from the blocklist (.php6, .shtml, .htaccess) due to a flawed sanitizer in FileAdder::defaultSanitizer() that only inspects the final filename suffix. Successful exploitation can lead to arbitrary PHP code execution when the application is deployed behind a legacy Apache AddHandler configuration, with no public exploit identified at time of analysis. The flaw carries a CVSS 4.0 score of 8.7 (high) reflecting high confidentiality, integrity, and availability impact.

Technical ContextAI

Spatie Laravel Media Library is a widely used Laravel package for associating files with Eloquent models, handling uploads, conversions, and storage. The root cause is CWE-184 (Incomplete List of Disallowed Inputs): the FileAdder::defaultSanitizer() method enforces an extension blocklist that both (1) checks only the trailing filename suffix rather than all extension components, and (2) omits several Apache-recognized executable handlers such as .php6, .shtml, and .htaccess. Compounding the issue, PHP's pathinfo() function preserves inner stems when extracting basenames, so a filename like shell.php.jpg retains its .php component on disk. When Apache is configured with the legacy AddHandler php-script .php directive, mod_mime treats any filename containing .php anywhere in its extension chain as PHP-executable, turning a stored 'image' into a webshell. The affected CPE is cpe:2.3:a:spatie:laravel-medialibrary covering all versions before 11.23.0.

RemediationAI

Vendor-released patch: upgrade Spatie Laravel Media Library to 11.23.0 or later via composer require spatie/laravel-medialibrary:^11.23.0, which hardens FileAdder::defaultSanitizer() per pull request https://github.com/spatie/laravel-medialibrary/pull/3939 and commit 608ea03703d3887c46434f5dda6af56de6346aba. If immediate upgrade is not possible, configure Apache to replace any AddHandler php-script directive with SetHandler application/x-httpd-php scoped only to a controlled directory (avoids extension-based dispatch but requires reviewing all virtual hosts), or move uploads onto a separate non-executing storage domain or S3-backed disk so saved files cannot be served as PHP regardless of extension. As application-layer compensating controls, override the sanitizer to reject any filename whose pathinfo extension chain contains .php, .php3, .php4, .php5, .php6, .php7, .phtml, .shtml, .htaccess, or .htm/.html with embedded PHP, and enforce server-side content-type validation against magic bytes; note that overly strict blocklists may reject legitimate filenames such as report.htaccess-backup.pdf. Vendor advisory and release notes are at https://github.com/spatie/laravel-medialibrary/releases/tag/11.23.0.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-48557 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy