Description
Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability in the FileUtil class. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer. In `src/Utils/FileUtil.php`, the `FileUtil::explodeExtension()` function extracts a file's extension by splitting the filename at the last dot. This issue has been patched in version 9.20.0 by properly sanitizing the extension using `pathinfo(PATHINFO_EXTENSION)` instead of `strrpos()`, alongside applying strict regex replacements to both the base name and the extension.
Published: 2026-03-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Path Traversal
Action: Immediate Patch
AI Analysis

Impact

Sharp, a Laravel content‑management package, contains a path traversal flaw in its FileUtil class. The explodeExtension function extracts a file's extension by splitting on the last dot without sanitizing the result, allowing directory separators to be embedded in the extension. An attacker who can provide a crafted filename is able to cause the framework to read or write files outside the intended storage directory, potentially exposing sensitive data, overwriting critical configuration files, or escalating privileges according to the web server’s permissions.

Affected Systems

The vulnerability affects all installations of code16’s Sharp framework released before version 9.20.0. Versions 9.20.0 and later include a patch that sanitizes extensions using pathinfo and strict regex checks.

Risk and Exploitability

The CVSS score for this flaw is 8.8, indicating high severity. The EPSS score is below 1 %, suggesting a low likelihood of widespread exploitation at present. It is not listed in the CISA KEV catalog. Based on the description, the most likely attack vector involves exploiting file‑upload or file‑download functions that pass user‑supplied filenames through FileUtil, allowing an attacker to supply a malicious filename that manipulates the extension field.

Generated by OpenCVE AI on April 2, 2026 at 06:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sharp to version 9.20.0 or newer to apply the official extension sanitization patch.
  • If an upgrade cannot be performed immediately, implement server‑side validation that rejects any filename containing directory separators or other illegal characters before it reaches FileUtil.

Generated by OpenCVE AI on April 2, 2026 at 06:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9ffq-6457-8958 Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:code16:sharp:*:*:*:*:*:*:*:*

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Code16
Code16 sharp
Vendors & Products Code16
Code16 sharp

Thu, 26 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability in the FileUtil class. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer. In `src/Utils/FileUtil.php`, the `FileUtil::explodeExtension()` function extracts a file's extension by splitting the filename at the last dot. This issue has been patched in version 9.20.0 by properly sanitizing the extension using `pathinfo(PATHINFO_EXTENSION)` instead of `strrpos()`, alongside applying strict regex replacements to both the base name and the extension.
Title Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Code16 Sharp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T13:59:50.752Z

Reserved: 2026-03-23T16:34:59.931Z

Link: CVE-2026-33686

cve-icon Vulnrichment

Updated: 2026-03-27T13:59:43.124Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T22:16:31.050

Modified: 2026-04-01T12:26:41.247

Link: CVE-2026-33686

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:56:09Z

Weaknesses