Description
Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability in the FileUtil class. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer. In `src/Utils/FileUtil.php`, the `FileUtil::explodeExtension()` function extracts a file's extension by splitting the filename at the last dot. This issue has been patched in version 9.20.0 by properly sanitizing the extension using `pathinfo(PATHINFO_EXTENSION)` instead of `strrpos()`, alongside applying strict regex replacements to both the base name and the extension.
Published: 2026-03-26
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: Path traversal allowing arbitrary file access or modification
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in Sharp's FileUtil::explodeExtension() method, which obtains a file's extension by splitting on the last period. Because user‑controlled file paths are not sanitized, an attacker can inject path separator characters into the extension field. This defect permits the application to reference files outside the intended upload or storage directory, potentially reading sensitive files or writing arbitrary data, thereby compromising confidentiality and integrity. The weakness is a classic path traversal flaw (CWE‑22).

Affected Systems

Sharp is a Laravel package built by code16, used as a content management framework. Versions prior to 9.20.0 are affected. Applications deploying these versions without the hardening introduced in 9.20.0 are vulnerable.

Risk and Exploitability

The CVSS score of 8.8 classifies this flaw as High severity. Because the flaw can be triggered when the application processes user‑supplied filenames – which typically occurs in publicly exposed upload or file handling endpoints – the likely attack vector is remote via network exposure. No exploit probability data (EPSS) is supplied, and the flaw is not yet listed in CISA's KEV catalog, but the high CVSS combined with potential remote exploitation makes immediate attention prudent. An attacker with sufficient input control could read or overwrite arbitrary files on the server, leading to data theft, tampering, or even control of the application.

Generated by OpenCVE AI on March 26, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sharp to version 9.20.0 or later.
  • If an upgrade is not feasible, apply the PR that patches FileUtil by replacing the split logic with pathinfo(PATHINFO_EXTENSION) and enforcing strict regex on the base name and extension.
  • Validate and sanitize all filenames before passing them to storage, ensuring no path separators are present.
  • Implement file upload restrictions and monitor log entries for abnormal file operations.

Generated by OpenCVE AI on March 26, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9ffq-6457-8958 Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil
History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Code16
Code16 sharp
Vendors & Products Code16
Code16 sharp

Thu, 26 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability in the FileUtil class. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer. In `src/Utils/FileUtil.php`, the `FileUtil::explodeExtension()` function extracts a file's extension by splitting the filename at the last dot. This issue has been patched in version 9.20.0 by properly sanitizing the extension using `pathinfo(PATHINFO_EXTENSION)` instead of `strrpos()`, alongside applying strict regex replacements to both the base name and the extension.
Title Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Code16 Sharp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T21:54:25.294Z

Reserved: 2026-03-23T16:34:59.931Z

Link: CVE-2026-33686

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T22:16:31.050

Modified: 2026-03-26T22:16:31.050

Link: CVE-2026-33686

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:23:01Z

Weaknesses