Platform
laravel
Component
laravel
Fixed in
9.20.1
9.20.0
9.20.1
CVE-2026-33686 describes a Path Traversal vulnerability discovered in Laravel Sharp, a content management framework for Laravel. This vulnerability allows attackers to potentially access sensitive files on the server due to insufficient sanitization of file extensions. The issue affects versions of Laravel Sharp prior to 9.20.0 and has been resolved in the 9.20.0 release.
The Path Traversal vulnerability in Laravel Sharp arises from the FileUtil::explodeExtension() function's flawed handling of file extensions. By injecting path separators into filenames, an attacker can bypass intended access controls and read arbitrary files on the server's filesystem. This could expose sensitive configuration files, source code, or even database credentials. The potential blast radius is significant, as a successful exploit could lead to complete system compromise. While the specific impact depends on the server's configuration and file permissions, the ability to read arbitrary files represents a serious security risk.
CVE-2026-33686 was publicly disclosed on 2026-03-26. Currently, there are no known active campaigns exploiting this vulnerability. No public proof-of-concept (PoC) code has been released, but the nature of Path Traversal vulnerabilities makes it likely that one will emerge. The vulnerability has not been added to the CISA KEV catalog as of this writing.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33686 is to immediately upgrade Laravel Sharp to version 9.20.0 or later. This version includes a fix that properly sanitizes file extensions using pathinfo(PATHINFO_EXTENSION) instead of the vulnerable strrpos() method. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious file extensions or path separators. Additionally, review file permissions to ensure that sensitive files are not accessible to the web server user.
Update the version of Sharp to 9.20.0 or higher. This version fixes the path traversal vulnerability by properly sanitizing file extensions. The update can be performed through the Composer package manager.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33686 is a Path Traversal vulnerability in Laravel Sharp versions before 9.20.0, allowing attackers to potentially access arbitrary files on the server due to improper file extension sanitization.
You are affected if you are using Laravel Sharp versions prior to 9.20.0. Check your project's dependencies to determine if you are vulnerable.
Upgrade Laravel Sharp to version 9.20.0 or later to resolve this vulnerability. This version includes a fix for the improper file extension sanitization.
As of now, there are no confirmed reports of active exploitation of CVE-2026-33686, but the vulnerability's nature makes it a potential target.
Refer to the Laravel Sharp project's repository or official documentation for the advisory related to CVE-2026-33686.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.