Skip to main content

Laravel-Mediable CVE-2026-49970

HIGH
Path Traversal (CWE-22)
2026-07-13 VulnCheck
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-reachable low-complexity upload sink requires an authenticated actor able to influence the directory argument (PR:L), and arbitrary file write to RCE yields full C/I/A impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 13, 2026 - 19:28 vuln.today
Analysis Generated
Jul 13, 2026 - 19:28 vuln.today
CVE Published
Jul 13, 2026 - 18:11 cve.org
HIGH 8.7

DescriptionCVE.org

Laravel-Mediable before 7.0.0 contains a path traversal vulnerability in the File::sanitizePath() function that allows attackers to write uploaded files to arbitrary locations by controlling the directory argument passed to MediaUploader::toDestination(). Attackers can exploit the permissive character-class regex that allows both dot and slash characters combined with an ineffective trailing trim() call to bypass sanitization and upload files to sensitive locations such as the document root, environment configuration files, or application configuration directories, enabling remote code execution.

AnalysisAI

Arbitrary file write in the Plank Laravel-Mediable package (before 7.0.0) lets an attacker who influences the destination directory of MediaUploader::toDestination() plant uploaded files outside the intended storage path, culminating in remote code execution. The flaw stems from a weak File::sanitizePath() regex that permits both '.' and '/' characters plus an ineffective trailing trim(), so '../' traversal sequences survive sanitization and files can land in the document root, .env, or config directories. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to upload feature
Delivery
Submit upload with '../' directory argument
Exploit
Bypass sanitizePath regex/trim
Execution
Write PHP file to web root
Persist
Request planted file
Impact
Execute arbitrary code

Vulnerability AssessmentAI

Exploitation Exploitation requires that the host Laravel application allows the attacker to influence the directory argument passed to MediaUploader::toDestination() - the specific vulnerable sink - while running a Laravel-Mediable version before 7.0.0. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score is 8.7 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H), indicating a network-reachable, low-complexity attack that requires some privilege (PR:L) and no user interaction, with high confidentiality, integrity, and availability impact - consistent with arbitrary file write escalating to RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario In a Laravel app that lets users pick or supply an upload destination folder, an attacker submits an upload whose directory argument contains '../' sequences (e.g. traversing to the public web root) and writes a .php file, then requests that file to execute arbitrary code. …
Remediation Vendor-released patch: 7.0.0 - upgrade the plank/laravel-mediable dependency to 7.0.0 or later (composer require plank/laravel-mediable:^7.0), which strips '.' characters from path segments in directory validation and closes the traversal (fix commit 6d1e7fb39922fdfb3b2d120e13f4eb2e653ae082, release notes at https://github.com/plank/laravel-mediable/releases/tag/7.0.0). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all production systems running Plank Laravel-Mediable and document current versions in use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49970 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy