Platform
laravel
Component
plank/laravel-mediable
Fixed in
6.4.1
CVE-2026-4809 is an Arbitrary File Access vulnerability affecting versions of the laravel-mediable package up to 6.4.0. This flaw allows attackers to upload files with dangerous content, such as executable PHP code, by manipulating MIME types during file uploads. Successful exploitation could lead to remote code execution on vulnerable Laravel applications. As of the publication date, no patch is available, and the vendor has not responded to coordinated disclosure attempts.
The primary impact of CVE-2026-4809 is the potential for remote code execution (RCE). An attacker can bypass intended security measures by uploading a PHP file with a benign image MIME type (e.g., image/jpeg). If the application stores this uploaded file in a web-accessible directory with PHP execution enabled, the attacker can directly execute the malicious code. This could lead to complete compromise of the server, including data exfiltration, modification, or denial of service. The blast radius extends to any sensitive data processed by the Laravel application, and the attacker could potentially gain access to other systems on the network if the server has lateral movement capabilities.
This vulnerability was publicly disclosed on 2026-03-26. There are currently no known public proof-of-concept exploits, but the ease of exploitation makes it a high-priority concern. The vulnerability's severity is amplified by the lack of a patch and the potential for RCE. It is recommended to monitor security advisories and forums for any emerging exploitation attempts. The absence of vendor response is concerning and warrants increased vigilance.
Exploit Status
EPSS
0.52% (67% percentile)
CISA SSVC
CVSS Vector
Due to the lack of a patch, immediate mitigation is crucial. The most effective workaround is to implement strict MIME type validation on the server-side, independently verifying the file type against its content, not just the client-provided header. Additionally, ensure that uploaded files are stored in a directory that is not web-accessible and where PHP execution is disabled. Consider using a dedicated storage service with restricted access. Implement robust input validation and sanitization to prevent any user-supplied data from being directly executed. Regularly scan your application for vulnerabilities and review file upload handling logic.
This CVE indicates an arbitrary file upload vulnerability. Since no patch is available, the solution is to stop using the vulnerable version (6.4.0 or earlier) of plank/laravel-mediable or implement additional security measures in the application to validate and sanitize client-supplied MIME types during file upload. Consider restricting allowed file types and verifying the file content instead of relying solely on the MIME type provided.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4809 is a CRITICAL vulnerability in laravel-mediable versions up to 6.4.0 allowing attackers to upload malicious files disguised as images, potentially leading to remote code execution.
You are affected if your Laravel application uses laravel-mediable version 6.4.0 or earlier and relies on client-supplied MIME types for file validation.
No patch is currently available. Mitigate by implementing strict server-side MIME type validation and storing uploaded files in a non-web-accessible directory with PHP execution disabled.
While no public exploits are currently known, the vulnerability's ease of exploitation makes it a high-priority concern. Monitor security advisories and forums.
Check the laravel-mediable GitHub repository and related Laravel community forums for updates and advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.