Spatie Laravel Media Library < 11.23.0 File Upload Restriction Bypass...

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer(). The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo() preserving inner .php stems in saved filenames. The blocklist also omits executable extensions including .php6, .shtml, and .htaccess. The double-extension bypass requires a legacy Apache AddHandler configuration to achieve PHP execution; the incomplete blocklist bypass does not.

Basic Information

ID CVE-2026-48557

Source VulnCheck

Published May 29, 2026 at 19:49

Affected Product

Vendor spatie

Product laravel-medialibrary

Affected Versions spatie laravel-medialibrary 0

CWE Classification

CWE-184

References

{
    "lastseen": "",
    "description": "Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer(). The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo() preserving inner .php stems in saved filenames. The blocklist also omits executable extensions including .php6, .shtml, and .htaccess. The double-extension bypass requires a legacy Apache AddHandler configuration to achieve PHP execution; the incomplete blocklist bypass does not.",
    "published": "2026-05-29T19:49:15.604Z",
    "modified": "2026-05-29T19:49:15.604Z",
    "type": "cve",
    "title": "Spatie Laravel Media Library < 11.23.0 File Upload Restriction Bypass via FileAdder.php",
    "source": "VulnCheck",
    "references": "https://github.com/spatie/laravel-medialibrary/releases/tag/11.23.0\nhttps://github.com/spatie/laravel-medialibrary/pull/3939\nhttps://github.com/spatie/laravel-medialibrary/commit/608ea03703d3887c46434f5dda6af56de6346aba\nhttps://www.vulncheck.com/advisories/spatie-laravel-media-library-file-upload-restriction-bypass-via-fileadder-php",
    "id": "CVE-2026-48557",
    "bulletinFamily": "",
    "cwe": [
        "CWE-184"
    ],
    "cvelist": null,
    "sourceData": "spatie laravel-medialibrary 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "laravel-medialibrary",
    "version": "0",
    "vendor": "spatie",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Spatie Laravel Media Library < 11.23.0 File Upload Restriction Bypass via FileAdder.php_CVE-2026-48557