What is Laravel Sharp?

Laravel Sharp is a content management framework built as a Laravel package. It provides a back-end interface for managing content within Laravel applications, simplifying content creation and administration.

What does CVE-2026-33687 allow an attacker to do?

CVE-2026-33687 allows an authenticated attacker to bypass file type restrictions when uploading files through the Sharp's `ApiFormUploadController`. This could lead to the upload of malicious files, potentially resulting in arbitrary code execution if a public disk is used.

How do I fix the file upload bypass vulnerability in Laravel Sharp?

The vulnerability is fixed in Laravel Sharp version 9.20.0. You can update your project using the `composer update laravel` command. This will update the laravel package to the latest version, including the fix for CVE-2026-33687.

NextGuard

Back to blog

CVSS 8.8CVE-2026-33687

Laravel Sharp CVE-2026-33687: File Upload Bypass Vulnerability

Q: What is the workaround for CVE-2026-33687?

As a workaround, ensure that the storage disk used for Sharp uploads is strictly private. Under default configurations, an attacker cannot directly execute uploaded PHP files unless a public disk configuration is explicitly used. However, updating to version 9.20.0 is the recommended solution.

CVE-2026-33687 details a file upload bypass in Laravel Sharp. Authenticated users can bypass file type restrictions. Update to version 9.20.0 now.

Published on April 3, 2026

A file upload bypass vulnerability exists in Laravel Sharp versions prior to 9.20.0. Authenticated users can exploit this to bypass file type restrictions, potentially leading to arbitrary code execution if a public disk is used. Update to version 9.20.0 to address this issue.

With a CVSS score of 8.8, this is a high-severity vulnerability due to potential for code execution.

What is Laravel?

Laravel is a popular open-source PHP web framework, designed for building web applications following the model–view–controller (MVC) architectural pattern. It provides a robust set of tools and features for tasks such as routing, database interaction, and templating. To learn more, you can search all laravel CVEs.

CVE-2026-33687: File Upload Restriction Bypass

CVSS8.8

Affected versionsThis vulnerability affects Laravel Sharp versions prior to 9.20.0. This is exploitable by authenticated users who have access to the file upload endpoint.

High severity due to potential for arbitrary code execution.

With an EPSS score of 0.049, the probability of exploitation is relatively low.

The `ApiFormUploadController` in Sharp allows authenticated users to control the `validation_rule` parameter. By manipulating this parameter, attackers can bypass file type and extension restrictions, potentially uploading malicious files.

How to fix CVE-2026-33687 in Laravel Sharp

Patch immediately

1.Update your Laravel Sharp installation to version 9.20.0 or later.

Update Laravel Sharp

composer update laravel

Workaround: Ensure that the storage disk used for Sharp uploads is strictly private. Under default configurations, an attacker cannot directly execute uploaded PHP files unless a public disk configuration is explicitly used.

NextGuard automatically flags CVE-2026-33687 if laravel appears in any of your monitored projects — no manual lookup required.

Stay ahead of laravel vulnerabilities

Proactively manage your application security by tracking and mitigating laravel vulnerabilities. Use NextGuard to monitor your laravel dependencies.

Compare Plans

Frequently asked questions

The file upload bypass vulnerability in Laravel Sharp can be mitigated by updating to version 9.20.0. Regularly updating your dependencies is crucial for maintaining application security. see all laravel vulnerabilities.