Home

Description

Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer(). The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo() preserving inner .php stems in saved filenames. The blocklist also omits executable extensions including .php6, .shtml, and .htaccess. The double-extension bypass requires a legacy Apache AddHandler configuration to achieve PHP execution; the incomplete blocklist bypass does not.

PUBLISHED Reserved 2026-05-21 | Published 2026-05-29 | Updated 2026-05-29 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Incomplete List of Disallowed Inputs

Product status

Default status
affected

Any version before 11.23.0
affected

Credits

Xurshidbek Sobirjonov finder

VulnCheck finder

References

github.com/spatie/laravel-medialibrary/releases/tag/11.23.0 release-notes

github.com/spatie/laravel-medialibrary/pull/3939 issue-tracking

github.com/...ommit/608ea03703d3887c46434f5dda6af56de6346aba patch

www.vulncheck.com/...ad-restriction-bypass-via-fileadder-php third-party-advisory

cve.org (CVE-2026-48557)

nvd.nist.gov (CVE-2026-48557)

Download JSON