Which versions of PHP are affected by EUVD-2026-16164?

Organizations using plank/laravel-mediable PHP package through version 6.4.0 face critical remote code execution risk, as the library fails to validate file types during upload, allowing attackers to…

PHP EUVD-2026-16164

Q: What is the CVSS score of EUVD-2026-16164?

EUVD-2026-16164 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.4%.

| CVE-2026-4809 CRITICAL

Unrestricted Upload of File with Dangerous Type (CWE-434)

2026-03-26 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

PHP RCE File Upload

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

EUVD ID Assigned

Mar 26, 2026 - 11:22 euvd

EUVD-2026-16164

Analysis Generated

Mar 26, 2026 - 11:22 vuln.today

CVE Published

Mar 26, 2026 - 11:16 nvd

CRITICAL 9.3

DescriptionNVD

plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing executable PHP code while declaring a benign image MIME type, resulting in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, this may lead to remote code execution. At the time of publication, no patch was available and the vendor had not responded to coordinated disclosure attempts.

AnalysisAI

Remote code execution in plank/laravel-mediable PHP package through version 6.4.0 allows unauthenticated attackers to upload executable PHP files disguised with benign MIME types, achieving arbitrary code execution when files land in web-accessible directories. EPSS score of 0.39% (60th percentile) indicates low observed exploitation probability, though SSVC analysis confirms the vulnerability is automatable with total technical impact. …

RemediationAI

Within 24 hours: Identify all applications using plank/laravel-mediable and document affected versions; immediately disable file upload functionality if operationally feasible or restrict uploads to authenticated users only. Within 7 days: Implement network-level controls (see compensating controls below) and conduct file system audit for suspicious PHP files in web-accessible directories created after deployment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-16164 vulnerability details – vuln.today

Back

PHP EUVD-2026-16164

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

PHP EUVD-2026-16164

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code