Skip to main content

Laravel Mediable

4 CVEs product

Monthly

CVE-2026-49972 HIGH PATCH This Week

Remote code execution in the plank/laravel-mediable package before 7.0.0 lets attackers upload a double-extension file such as shell.php.jpg that passes all MIME, extension, and aggregate-type validation because of the trailing .jpg, yet retains an inner .php in its stored basename. On Apache/nginx servers misconfigured to execute any filename containing .php, the stored artifact runs as PHP. Reported by VulnCheck with a vendor patch in 7.0.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

PHP Nginx RCE File Upload Apache +1
NVD GitHub
CVSS 4.0
7.7
EPSS
0.8%
CVE-2026-49971 MEDIUM PATCH This Month

Stored XSS in Laravel-Mediable before 7.0.0 allows network-accessible, unauthenticated attackers to persist malicious JavaScript payloads by uploading crafted SVG files containing embedded scripts in onload handlers, script tags, or foreignObject elements. When any authenticated user subsequently opens or previews a poisoned file in their browser, the payload executes with full DOM access, enabling session cookie theft, CSRF token capture, and complete account takeover. No public exploit has been identified at time of analysis, but the attack requires no special privileges and the technique is well-understood; the vendor has classified this as a security release and strongly recommends immediate upgrade to 7.0.0.

XSS CSRF Laravel Mediable
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-49970 HIGH PATCH This Week

Arbitrary file write in the Plank Laravel-Mediable package (before 7.0.0) lets an attacker who influences the destination directory of MediaUploader::toDestination() plant uploaded files outside the intended storage path, culminating in remote code execution. The flaw stems from a weak File::sanitizePath() regex that permits both '.' and '/' characters plus an ineffective trailing trim(), so '../' traversal sequences survive sanitization and files can land in the document root, .env, or config directories. No public exploit has been identified at time of analysis, but a vendor patch (7.0.0) exists and the issue was reported by VulnCheck.

RCE Path Traversal Laravel Mediable
NVD GitHub
CVSS 4.0
8.7
EPSS
0.8%
CVE-2026-49969 MEDIUM PATCH This Month

Server-side request forgery in Laravel-Mediable before 7.0.0 enables network-accessible, low-privilege attackers to issue arbitrary HTTP requests originating from the server by supplying unvalidated URLs to any application endpoint backed by MediaUploader::fromSource(). The RemoteUrlAdapter class accepts caller-controlled URLs without restricting schemes, IP ranges, or hostnames, allowing requests to RFC-1918 addresses, loopback interfaces, file:// URIs, and cloud instance metadata endpoints such as AWS IMDSv1 at 169.254.169.254. In cloud deployments, successful exploitation can yield IAM temporary credentials, enabling privilege escalation far beyond the base CVSS score of 5.3 would suggest. No public exploit or CISA KEV listing exists at time of analysis.

SSRF Laravel Mediable
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
EPSS 1% CVSS 7.7
HIGH PATCH This Week

Remote code execution in the plank/laravel-mediable package before 7.0.0 lets attackers upload a double-extension file such as shell.php.jpg that passes all MIME, extension, and aggregate-type validation because of the trailing .jpg, yet retains an inner .php in its stored basename. On Apache/nginx servers misconfigured to execute any filename containing .php, the stored artifact runs as PHP. Reported by VulnCheck with a vendor patch in 7.0.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

PHP Nginx RCE +3
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Stored XSS in Laravel-Mediable before 7.0.0 allows network-accessible, unauthenticated attackers to persist malicious JavaScript payloads by uploading crafted SVG files containing embedded scripts in onload handlers, script tags, or foreignObject elements. When any authenticated user subsequently opens or previews a poisoned file in their browser, the payload executes with full DOM access, enabling session cookie theft, CSRF token capture, and complete account takeover. No public exploit has been identified at time of analysis, but the attack requires no special privileges and the technique is well-understood; the vendor has classified this as a security release and strongly recommends immediate upgrade to 7.0.0.

XSS CSRF Laravel Mediable
NVD GitHub
EPSS 1% CVSS 8.7
HIGH PATCH This Week

Arbitrary file write in the Plank Laravel-Mediable package (before 7.0.0) lets an attacker who influences the destination directory of MediaUploader::toDestination() plant uploaded files outside the intended storage path, culminating in remote code execution. The flaw stems from a weak File::sanitizePath() regex that permits both '.' and '/' characters plus an ineffective trailing trim(), so '../' traversal sequences survive sanitization and files can land in the document root, .env, or config directories. No public exploit has been identified at time of analysis, but a vendor patch (7.0.0) exists and the issue was reported by VulnCheck.

RCE Path Traversal Laravel Mediable
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Server-side request forgery in Laravel-Mediable before 7.0.0 enables network-accessible, low-privilege attackers to issue arbitrary HTTP requests originating from the server by supplying unvalidated URLs to any application endpoint backed by MediaUploader::fromSource(). The RemoteUrlAdapter class accepts caller-controlled URLs without restricting schemes, IP ranges, or hostnames, allowing requests to RFC-1918 addresses, loopback interfaces, file:// URIs, and cloud instance metadata endpoints such as AWS IMDSv1 at 169.254.169.254. In cloud deployments, successful exploitation can yield IAM temporary credentials, enabling privilege escalation far beyond the base CVSS score of 5.3 would suggest. No public exploit or CISA KEV listing exists at time of analysis.

SSRF Laravel Mediable
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy