UNKNOWNCVE-2026-4809
Unsafe Client MIME Type Handling Can Enable Arbitrary File Upload in plank/laravel-mediable
Platform
laravel
Component
plank/laravel-mediable
plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing executable PHP code while declaring a benign image MIME type, resulting in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, this may lead to remote code execution. At the time of publication, no patch was available and the vendor had not responded to coordinated disclosure attempts.
How to fix
Este CVE indica una vulnerabilidad de carga de archivos arbitrarios. Dado que no hay un parche disponible, la solución es dejar de usar la versión vulnerable (6.4.0 o anterior) de plank/laravel-mediable o implementar medidas de seguridad adicionales en la aplicación para validar y sanitizar los tipos MIME proporcionados por el cliente durante la carga de archivos. Considere restringir los tipos de archivos permitidos y verificar el contenido del archivo en lugar de confiar únicamente en el tipo MIME proporcionado.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free