Plattform
laravel
Komponente
laravel
Behoben in
9.20.1
9.20.0
9.20.1
CVE-2026-33686 describes a Path Traversal vulnerability discovered in Laravel Sharp, a content management framework for Laravel. This flaw allows attackers to potentially access sensitive files outside of the intended storage directory due to insufficient sanitization of file extensions. The vulnerability impacts versions of Laravel Sharp up to and including 9.20.0. A patch addressing this issue has been released in version 9.20.0.
The Path Traversal vulnerability in Laravel Sharp arises from the FileUtil::explodeExtension() function's flawed handling of file extensions. By injecting path separators into filenames, an attacker can bypass intended access controls and read arbitrary files on the server. This could expose sensitive data such as configuration files, database credentials, or even source code. The potential blast radius is significant, as successful exploitation could lead to complete compromise of the application server. This vulnerability shares similarities with other path traversal flaws where improper input validation allows attackers to navigate outside of designated directories.
CVE-2026-33686 was publicly disclosed on 2026-03-26. No known public proof-of-concept exploits are currently available, but the vulnerability's nature suggests a relatively low barrier to exploitation. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Applications utilizing Laravel Sharp versions prior to 9.20.0 are at risk. This includes projects that rely on Sharp for file management and content handling. Shared hosting environments using Laravel Sharp are particularly vulnerable, as they may lack the ability to easily update the framework.
• laravel / server:
find /var/www/laravel/vendor/sharp/src/Utils -name 'FileUtil.php' -print• laravel / server:
grep -r 'strrpos' /var/www/laravel/vendor/sharp/src/Utils/FileUtil.php• generic web:
curl -I 'http://your-laravel-app.com/path%2e%2e/to/sensitive/file.txt'• generic web:
wget -S 'http://your-laravel-app.com/path%2e%2e/to/sensitive/file.txt' | grep 'Server:'disclosure
Exploit-Status
EPSS
0.07% (22% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33686 is to upgrade Laravel Sharp to version 9.20.0 or later, which includes a fix for the vulnerability. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious path separators in file extensions. Additionally, review and restrict file upload permissions to prevent attackers from uploading malicious files. Verify the upgrade by attempting to access files outside the intended storage directory; access should be denied.
Aktualisieren Sie die Version von Sharp auf 9.20.0 oder höher. Diese Version behebt die Path-Traversal-Schwachstelle, indem Dateierweiterungen ordnungsgemäß bereinigt werden. Das Update kann über den Paketmanager Composer durchgeführt werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33686 is a Path Traversal vulnerability in Laravel Sharp versions before 9.20.0, allowing attackers to potentially access arbitrary files on the server due to improper file extension sanitization.
You are affected if you are using Laravel Sharp versions prior to 9.20.0. Check your project's dependencies to determine if you are vulnerable.
Upgrade Laravel Sharp to version 9.20.0 or later to resolve this vulnerability. This version includes a fix for the improper file extension sanitization.
As of now, there are no confirmed reports of active exploitation of CVE-2026-33686, but the vulnerability's nature makes it a potential target.
Refer to the Laravel Sharp project's repository or official documentation for the advisory related to CVE-2026-33686.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine composer.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.