Skip to main content

Laravel Medialibrary

2 CVEs product

Monthly

CVE-2026-48557 PHP HIGH PATCH GHSA This Week

File upload restriction bypass in Spatie Laravel Media Library prior to 11.23.0 allows authenticated remote attackers to upload files with double extensions (e.g., shell.php.jpg) or executable extensions missing from the blocklist (.php6, .shtml, .htaccess) due to a flawed sanitizer in FileAdder::defaultSanitizer() that only inspects the final filename suffix. Successful exploitation can lead to arbitrary PHP code execution when the application is deployed behind a legacy Apache AddHandler configuration, with no public exploit identified at time of analysis. The flaw carries a CVSS 4.0 score of 8.7 (high) reflecting high confidentiality, integrity, and availability impact.

File Upload PHP Apache Laravel Medialibrary
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-48555 PHP MEDIUM PATCH This Month

Server-side request forgery in Spatie Laravel Medialibrary before 11.23.0 allows authenticated remote attackers to coerce the application server into issuing arbitrary outbound HTTP requests by supplying user-controlled URLs to the addMediaFromUrl() method in InteractsWithMedia.php. The flaw is reachable in any Laravel application that exposes addMediaFromUrl() to end-user input, and no public exploit identified at time of analysis, though the upstream patch and a VulnCheck advisory provide enough detail for trivial reproduction. With a CVSS of 7.4 and Scope:Changed, exploitation can pivot to internal services, cloud metadata endpoints, or other backend systems beyond the immediate Laravel host.

PHP SSRF Laravel Medialibrary
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

File upload restriction bypass in Spatie Laravel Media Library prior to 11.23.0 allows authenticated remote attackers to upload files with double extensions (e.g., shell.php.jpg) or executable extensions missing from the blocklist (.php6, .shtml, .htaccess) due to a flawed sanitizer in FileAdder::defaultSanitizer() that only inspects the final filename suffix. Successful exploitation can lead to arbitrary PHP code execution when the application is deployed behind a legacy Apache AddHandler configuration, with no public exploit identified at time of analysis. The flaw carries a CVSS 4.0 score of 8.7 (high) reflecting high confidentiality, integrity, and availability impact.

File Upload PHP Apache +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Server-side request forgery in Spatie Laravel Medialibrary before 11.23.0 allows authenticated remote attackers to coerce the application server into issuing arbitrary outbound HTTP requests by supplying user-controlled URLs to the addMediaFromUrl() method in InteractsWithMedia.php. The flaw is reachable in any Laravel application that exposes addMediaFromUrl() to end-user input, and no public exploit identified at time of analysis, though the upstream patch and a VulnCheck advisory provide enough detail for trivial reproduction. With a CVSS of 7.4 and Scope:Changed, exploitation can pivot to internal services, cloud metadata endpoints, or other backend systems beyond the immediate Laravel host.

PHP SSRF Laravel Medialibrary
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy