Description
Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that allows authenticated users to bypass all file type restrictions. The upload endpoint within the `ApiFormUploadController` accepts a client-controlled `validation_rule` parameter. This parameter is directly passed into the Laravel validator without sufficient server-side enforcement. By intercepting the request and sending `validation_rule[]=file`, an attacker can completely bypass all MIME type and file extension restrictions. This issue has been addressed in version 9.20.0 by removing the client-controlled validation rules and strictly defining upload rules server-side. As a workaround, ensure that the storage disk used for Sharp uploads is strictly private. Under default configurations, an attacker cannot directly execute uploaded PHP files unless a public disk configuration is explicitly used.
Published: 2026-03-26
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: Unrestricted File Upload
Action: Patch Immediately
AI Analysis

Impact

Sharp’s file upload endpoint accepts a client‑controlled validation_rule parameter that is passed directly to Laravel’s validator with no server‑side enforcement. Because an authenticated user can set validation_rule[]=file, the original file type and MIME type restrictions are completely bypassed, allowing the upload of any file type. While the default configuration does not execute PHP files unless a public disk is used, the ability to upload arbitrary files can compromise confidentiality and integrity if the upload location is misconfigured or later exploited.

Affected Systems

The vulnerability affects the Sharp content‑management framework distributed by code16. All releases prior to version 9.20.0 are vulnerable. Any Laravel application that includes Sharp and uses its default upload endpoint exposes users who are authenticated to the system.

Risk and Exploitability

The CVSS score of 8.8 classifies this issue as high severity. No EPSS score is available and it is not listed in CISA’s KEV catalog, yet the vulnerability remains exploitable because it only requires authenticated access—a capability often granted to normal users in CMS environments. The exploit chain involves crafting a request that includes validation_rule[]=file; this enables the attacker to upload files without restriction, potentially leading to further compromise if the upload storage is publicly accessible or if other vulnerabilities are present.

Generated by OpenCVE AI on March 26, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Sharp to version 9.20.0 or later to remove client‑controlled validation rules
  • If the upgrade is not possible, configure the Sharp upload storage disk as private so that uploaded PHP or other executable files cannot be served directly
  • Verify that any publicly accessible upload directories are protected and monitor upload logs for unexpected file types
  • Enforce stricter MIME type and extension checks on the server side if custom upload handling is implemented

Generated by OpenCVE AI on March 26, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fr76-5637-w3g9 Sharp has Unrestricted File Upload via Client-Controlled Validation Rules
History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Code16
Code16 sharp
Vendors & Products Code16
Code16 sharp

Thu, 26 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that allows authenticated users to bypass all file type restrictions. The upload endpoint within the `ApiFormUploadController` accepts a client-controlled `validation_rule` parameter. This parameter is directly passed into the Laravel validator without sufficient server-side enforcement. By intercepting the request and sending `validation_rule[]=file`, an attacker can completely bypass all MIME type and file extension restrictions. This issue has been addressed in version 9.20.0 by removing the client-controlled validation rules and strictly defining upload rules server-side. As a workaround, ensure that the storage disk used for Sharp uploads is strictly private. Under default configurations, an attacker cannot directly execute uploaded PHP files unless a public disk configuration is explicitly used.
Title Sharp has Unrestricted File Upload via Client-Controlled Validation Rules
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Code16 Sharp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T21:53:26.004Z

Reserved: 2026-03-23T16:34:59.932Z

Link: CVE-2026-33687

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T22:16:31.203

Modified: 2026-03-26T22:16:31.203

Link: CVE-2026-33687

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:23:02Z

Weaknesses