Platform
laravel
Component
laravel
Fixed in
9.20.1
9.20.0
9.20.1
CVE-2026-33687 describes an Unrestricted File Upload vulnerability affecting Laravel Sharp, a content management framework. This flaw allows authenticated users to bypass file type restrictions, potentially leading to the upload of malicious files and subsequent server compromise. This impacts versions prior to 9.20.0. Upgrade to version 9.20.0 to remediate this vulnerability.
CVE-2026-33687 in Sharp, a content management framework for Laravel, allows authenticated users to bypass all file type restrictions within the file upload endpoint. This is due to a flaw in the validation of the client-controlled validation_rule parameter. Versions prior to 9.20.0 are affected. An attacker can manipulate this parameter to upload files that would normally be prohibited, such as executable files, potentially compromising server security and data integrity. The CVSS score is 8.8, indicating a high risk. The lack of proper server-side enforcement opens the door to remote code execution and other malicious activities.
The vulnerability is exploited by sending an HTTP POST request to Sharp's file upload endpoint, manipulating the validation_rule parameter to allow the upload of unauthorized file types. Since authentication is required, the attacker must have access to a valid user account within the Sharp application. The exploitation complexity is relatively low, as it doesn't require advanced technical skills or specialized tools. The impact can be significant, enabling an attacker to compromise the server or access sensitive information.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The solution to this vulnerability is to upgrade Sharp to version 9.20.0 or higher. This version corrects the validation flaw by implementing stricter validation of the validation_rule parameter within the ApiFormUploadController. Additionally, it's recommended to review and strengthen file upload security policies, ensuring all user inputs are properly validated and sanitized on the server-side. Implementing a malicious file scanning system after upload can also help mitigate the risk. Applying these updates and security measures promptly is crucial to protect your Laravel applications.
Actualice Sharp a la versión 9.20.0 o superior. Como alternativa, asegúrese de que el disco de almacenamiento utilizado para las cargas de Sharp sea estrictamente privado. Bajo configuraciones predeterminadas, un atacante no puede ejecutar directamente archivos PHP cargados a menos que se utilice explícitamente una configuración de disco público.
Vulnerability analysis and critical alerts directly to your inbox.
Sharp is a content management framework for Laravel that simplifies form creation and data management.
Check the version of Sharp you are using. If it’s older than 9.20.0, it is vulnerable. You can verify the version in your Laravel project's composer.json file.
With this vulnerability, an attacker could upload any file type, including executable files, that would normally be prohibited.
If you cannot update immediately, consider implementing stricter firewall rules to limit the types of files that can be uploaded and closely monitor server logs.
After updating, review your file upload security policies and ensure all user inputs are properly validated and sanitized.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.