Laravel-Mediable
CVE-2026-49970
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable low-complexity upload sink requires an authenticated actor able to influence the directory argument (PR:L), and arbitrary file write to RCE yields full C/I/A impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Laravel-Mediable before 7.0.0 contains a path traversal vulnerability in the File::sanitizePath() function that allows attackers to write uploaded files to arbitrary locations by controlling the directory argument passed to MediaUploader::toDestination(). Attackers can exploit the permissive character-class regex that allows both dot and slash characters combined with an ineffective trailing trim() call to bypass sanitization and upload files to sensitive locations such as the document root, environment configuration files, or application configuration directories, enabling remote code execution.
AnalysisAI
Arbitrary file write in the Plank Laravel-Mediable package (before 7.0.0) lets an attacker who influences the destination directory of MediaUploader::toDestination() plant uploaded files outside the intended storage path, culminating in remote code execution. The flaw stems from a weak File::sanitizePath() regex that permits both '.' and '/' characters plus an ineffective trailing trim(), so '../' traversal sequences survive sanitization and files can land in the document root, .env, or config directories. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the host Laravel application allows the attacker to influence the directory argument passed to MediaUploader::toDestination() - the specific vulnerable sink - while running a Laravel-Mediable version before 7.0.0. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score is 8.7 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H), indicating a network-reachable, low-complexity attack that requires some privilege (PR:L) and no user interaction, with high confidentiality, integrity, and availability impact - consistent with arbitrary file write escalating to RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | In a Laravel app that lets users pick or supply an upload destination folder, an attacker submits an upload whose directory argument contains '../' sequences (e.g. traversing to the public web root) and writes a .php file, then requests that file to execute arbitrary code. … |
| Remediation | Vendor-released patch: 7.0.0 - upgrade the plank/laravel-mediable dependency to 7.0.0 or later (composer require plank/laravel-mediable:^7.0), which strips '.' characters from path segments in directory validation and closes the traversal (fix commit 6d1e7fb39922fdfb3b2d120e13f4eb2e653ae082, release notes at https://github.com/plank/laravel-mediable/releases/tag/7.0.0). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all production systems running Plank Laravel-Mediable and document current versions in use. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Laravel Mediable
View allRemote code execution in the plank/laravel-mediable package before 7.0.0 lets attackers upload a double-extension file s
Server-side request forgery in Laravel-Mediable before 7.0.0 enables network-accessible, low-privilege attackers to issu
Stored XSS in Laravel-Mediable before 7.0.0 allows network-accessible, unauthenticated attackers to persist malicious Ja
Same weakness CWE-22 – Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today