Back to overview

CVE-2026-49972

HIGH
8.8
CVSS 3.1
Description
Laravel-Mediable before 7.0.0 contains a file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading a file with an embedded PHP extension disguised within a double extension such as shell.php.jpg. The PATHINFO_FILENAME extraction preserves the inner .php extension in the base name, and on misconfigured Apache or nginx servers that execute any filename containing .php as PHP, the stored file is interpreted as executable code while all MIME type, extension, and aggregate type validation checks pass due to the outer .jpg extension.

Metadata

CVE ID
CVE-2026-49972
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-06-02 16:30 UTC
Published
2026-07-13 18:16 UTC
Last updated
2026-07-13 18:16 UTC
Primary CWE
CWE-434
Unrestricted Upload of File with Dangerous Type
Vendor / Product
plank / laravel-mediable
Sources
cve.org  ·  NVD

Severity & Metrics

8.8 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products (1)
VendorProductPlatformVersions
plank laravel-mediable 0 < 7.0.0
Weakness (CWE)
CWESourceDescription
CWE-434 cna Unrestricted Upload of File with Dangerous Type
CVSS scores (2)
ScoreSeverityVersionSourceVector
8.8 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.7 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Back to overview