Description
Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that allows authenticated users to bypass all file type restrictions. The upload endpoint within the `ApiFormUploadController` accepts a client-controlled `validation_rule` parameter. This parameter is directly passed into the Laravel validator without sufficient server-side enforcement. By intercepting the request and sending `validation_rule[]=file`, an attacker can completely bypass all MIME type and file extension restrictions. This issue has been addressed in version 9.20.0 by removing the client-controlled validation rules and strictly defining upload rules server-side. As a workaround, ensure that the storage disk used for Sharp uploads is strictly private. Under default configurations, an attacker cannot directly execute uploaded PHP files unless a public disk configuration is explicitly used.
Published: 2026-03-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted File Upload
Action: Immediate Patch
AI Analysis

Impact

Sharp versions before 9.20.0 allow an authenticated user to upload any file type because the client specifies a validation_rule parameter that bypasses the server‑side file type checks. By sending validation_rule[]=file the attacker can override MIME type and extension restrictions, potentially placing malicious files on the server. If the upload disk is publicly accessible, this could lead to code execution; if it is private, the files remain non‑executable but still expose the system to further compromise.

Affected Systems

The affected product is Code16 Sharp, a Laravel package used for content management. All Sharp installations running versions older than 9.20.0 are vulnerable. The issue arises in the ApiFormUploadController handling file uploads.

Risk and Exploitability

The CVSS score of 8.8 classifies this vulnerability as high severity. The EPSS score of less than one percent indicates low current exploitation probability, and it is not listed in the CISA KEV catalog. Exploitation requires authenticated access to the upload endpoint, but the lack of server‑side restriction makes it straightforward once access is obtained. If uploads are saved to a publicly reachable disk, the risk of remote code execution rises significantly. Until a patch is applied, administrators should treat the vulnerability as a serious concern.

Generated by OpenCVE AI on April 2, 2026 at 22:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Sharp to version 9.20.0 or later, which removes client‑controlled validation rules and enforces server‑side restrictions.
  • If a patch cannot be applied immediately, configure Sharp to store uploads on a strictly private disk so that uploaded files cannot be accessed or executed from the web.
  • Audit existing uploaded files for unexpected extensions or MIME types.
  • Monitor upload activity logs for suspicious patterns and block anomalous requests.
  • Verify that the server’s file system permissions prevent execution of uploaded content on all disks.

Generated by OpenCVE AI on April 2, 2026 at 22:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fr76-5637-w3g9 Sharp has Unrestricted File Upload via Client-Controlled Validation Rules
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:code16:sharp:*:*:*:*:*:*:*:*

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Code16
Code16 sharp
Vendors & Products Code16
Code16 sharp

Thu, 26 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that allows authenticated users to bypass all file type restrictions. The upload endpoint within the `ApiFormUploadController` accepts a client-controlled `validation_rule` parameter. This parameter is directly passed into the Laravel validator without sufficient server-side enforcement. By intercepting the request and sending `validation_rule[]=file`, an attacker can completely bypass all MIME type and file extension restrictions. This issue has been addressed in version 9.20.0 by removing the client-controlled validation rules and strictly defining upload rules server-side. As a workaround, ensure that the storage disk used for Sharp uploads is strictly private. Under default configurations, an attacker cannot directly execute uploaded PHP files unless a public disk configuration is explicitly used.
Title Sharp has Unrestricted File Upload via Client-Controlled Validation Rules
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Code16 Sharp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T20:28:53.385Z

Reserved: 2026-03-23T16:34:59.932Z

Link: CVE-2026-33687

cve-icon Vulnrichment

Updated: 2026-03-27T20:28:45.553Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T22:16:31.203

Modified: 2026-04-02T17:22:02.393

Link: CVE-2026-33687

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:47Z

Weaknesses