Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer(). The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo() preserving inner .php stems in saved filenames. The blocklist also omits executable extensions including .php6, .shtml, and .htaccess. The double-extension bypass requires a legacy Apache AddHandler configuration to achieve PHP execution; the incomplete blocklist bypass does not.
AnalysisAI
File upload restriction bypass in Spatie Laravel Media Library prior to 11.23.0 allows authenticated remote attackers to upload files with double extensions (e.g., shell.php.jpg) or executable extensions missing from the blocklist (.php6, .shtml, .htaccess) due to a flawed sanitizer in FileAdder::defaultSanitizer() that only inspects the final filename suffix. Successful exploitation can lead to arbitrary PHP code execution when the application is deployed behind a legacy Apache AddHandler configuration, with no public exploit identified at time of analysis. The flaw carries a CVSS 4.0 score of 8.7 (high) reflecting high confidentiality, integrity, and availability impact.
Technical ContextAI
Spatie Laravel Media Library is a widely used Laravel package for associating files with Eloquent models, handling uploads, conversions, and storage. The root cause is CWE-184 (Incomplete List of Disallowed Inputs): the FileAdder::defaultSanitizer() method enforces an extension blocklist that both (1) checks only the trailing filename suffix rather than all extension components, and (2) omits several Apache-recognized executable handlers such as .php6, .shtml, and .htaccess. Compounding the issue, PHP's pathinfo() function preserves inner stems when extracting basenames, so a filename like shell.php.jpg retains its .php component on disk. When Apache is configured with the legacy AddHandler php-script .php directive, mod_mime treats any filename containing .php anywhere in its extension chain as PHP-executable, turning a stored 'image' into a webshell. The affected CPE is cpe:2.3:a:spatie:laravel-medialibrary covering all versions before 11.23.0.
RemediationAI
Vendor-released patch: upgrade Spatie Laravel Media Library to 11.23.0 or later via composer require spatie/laravel-medialibrary:^11.23.0, which hardens FileAdder::defaultSanitizer() per pull request https://github.com/spatie/laravel-medialibrary/pull/3939 and commit 608ea03703d3887c46434f5dda6af56de6346aba. If immediate upgrade is not possible, configure Apache to replace any AddHandler php-script directive with SetHandler application/x-httpd-php scoped only to a controlled directory (avoids extension-based dispatch but requires reviewing all virtual hosts), or move uploads onto a separate non-executing storage domain or S3-backed disk so saved files cannot be served as PHP regardless of extension. As application-layer compensating controls, override the sanitizer to reject any filename whose pathinfo extension chain contains .php, .php3, .php4, .php5, .php6, .php7, .phtml, .shtml, .htaccess, or .htm/.html with embedded PHP, and enforce server-side content-type validation against magic bytes; note that overly strict blocklists may reject legitimate filenames such as report.htaccess-backup.pdf. Vendor advisory and release notes are at https://github.com/spatie/laravel-medialibrary/releases/tag/11.23.0.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-184 – Incomplete List of Disallowed Inputs
View allSame technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33439
GHSA-3ggm-c5m7-hfv5