Plattform
laravel
Komponente
plank/laravel-mediable
Behoben in
6.4.1
CVE-2026-4809 is an Arbitrary File Access vulnerability affecting versions of the laravel-mediable package up to 6.4.0. This flaw allows attackers to upload files with dangerous content, such as executable PHP code, by manipulating MIME types during file uploads. Successful exploitation could lead to remote code execution on vulnerable Laravel applications. As of the publication date, no patch is available, and the vendor has not responded to coordinated disclosure attempts.
The primary impact of CVE-2026-4809 is the potential for remote code execution (RCE). An attacker can exploit this vulnerability by crafting a malicious PHP file, disguising it with a benign image MIME type (e.g., image/jpeg), and uploading it through the laravel-mediable package. If the application trusts the client-supplied MIME type and stores the uploaded file in a web-accessible directory with PHP execution enabled, the attacker can execute arbitrary code on the server. This could lead to complete system compromise, data theft, or denial of service. The blast radius extends to any sensitive data or functionality accessible by the web server, making this a high-severity risk.
CVE-2026-4809 was publicly disclosed on 2026-03-26. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that PoCs will emerge. The CVSS score of 9.8 (CRITICAL) indicates a high probability of exploitation. It is not currently listed on CISA KEV, but its severity warrants close monitoring. Active campaigns are not yet confirmed, but the ease of exploitation could attract malicious actors.
Applications built with Laravel that utilize the laravel-mediable package for file uploads are at risk. This includes projects that rely on client-supplied MIME types for file validation without robust server-side verification. Shared hosting environments where users have control over file uploads are particularly vulnerable.
• laravel: Inspect file upload handling code for reliance on client-supplied MIME types. Check for files with PHP extensions in web-accessible directories. Use find /var/www/laravel -name '*.php' to identify potential targets.
• generic web: Monitor web server access logs for unusual file uploads, particularly those with image extensions but potentially malicious content. Look for requests containing Content-Type: image/* followed by PHP file access.
• generic web: Use a WAF to block uploads of files with potentially dangerous extensions (e.g., .php, .phtml, .php3) regardless of the declared MIME type.
disclosure
Exploit-Status
EPSS
0.52% (67% Perzentil)
CISA SSVC
CVSS-Vektor
Due to the absence of a patch, immediate mitigation is crucial. The primary defense is to implement strict MIME type validation on the server-side, independently verifying the file type regardless of the client-supplied header. Configure the web server to disallow PHP execution in the upload directory. Consider using a WAF (Web Application Firewall) to filter potentially malicious file uploads. Implement robust file storage practices, ensuring uploaded files are stored outside of the web root and are not executable. Regularly scan the application for misconfigurations and vulnerabilities. After implementing these mitigations, verify file upload functionality to ensure legitimate uploads are not blocked.
Este CVE indica una vulnerabilidad de carga de archivos arbitrarios. Dado que no hay un parche disponible, la solución es dejar de usar la versión vulnerable (6.4.0 o anterior) de plank/laravel-mediable o implementar medidas de seguridad adicionales en la aplicación para validar y sanitizar los tipos MIME proporcionados por el cliente durante la carga de archivos. Considere restringir los tipos de archivos permitidos y verificar el contenido del archivo en lugar de confiar únicamente en el tipo MIME proporcionado.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-4809 is a CRITICAL vulnerability in laravel-mediable versions up to 6.4.0 allowing attackers to upload malicious files disguised as images, potentially leading to remote code execution.
You are affected if your Laravel application uses laravel-mediable version 6.4.0 or earlier and relies on client-supplied MIME types for file validation.
No patch is currently available. Mitigate by implementing strict server-side MIME type validation and storing uploaded files in a non-web-accessible directory with PHP execution disabled.
While no public exploits are currently known, the vulnerability's ease of exploitation makes it a high-priority concern. Monitor security advisories and forums.
Check the laravel-mediable GitHub repository and related Laravel community forums for updates and advisories.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine composer.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.