Description
plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing executable PHP code while declaring a benign image MIME type, resulting in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, this may lead to remote code execution. At the time of publication, no patch was available and the vendor had not responded to coordinated disclosure attempts.
Published: 2026-03-26
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Arbitrary File Upload
Action: Apply Mitigation
AI Analysis

Impact

Plank's laravel-mediable package permits a web application to accept client-supplied MIME types for file uploads. An attacker can submit a file containing executable PHP code while declaring the MIME type as a harmless image. Because the package trusts the client-provided MIME type, the file is stored on the server without proper validation. If the upload location is web‑accessible and executable, the attacker can achieve remote code execution, compromising server integrity, confidentiality, and availability. This reflects an unvalidated file upload weakness (CWE-434).

Affected Systems

Any application using plank's laravel-mediable package up to and including version 6.4.0 is affected when configured to prefer or accept the client-supplied MIME type. As the package is widely used in Laravel-based CMS and e-commerce projects, the vulnerability spans a range of PHP web applications. No further constraints are specified, so the impact is relevant to any environment deploying the vulnerable library.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity, confirming a high likelihood of successful exploitation. The EPSS score is not available, but the absence of a public patch and vendor response suggest that attackers could readily leverage this flaw. Because the vulnerability is triggered via a standard file upload form over HTTP, the attack vector is remote and does not require authentication. Potential consequences include arbitrary code execution on the host, which could lead to full system compromise. The vulnerability is not listed in CISA’s KEV catalog, yet it poses the same risks as other documented arbitrary upload exploits.

Generated by OpenCVE AI on March 26, 2026 at 12:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable acceptance of client‑supplied MIME types and enforce server‑side MIME type validation.
  • Store uploaded files in a directory outside the web root or configure the web server to treat uploaded files as non‑executable.
  • Implement a whitelist that allows only safe image MIME types and extensions, rejecting all others.
  • Review upload handling code to ensure file content is verified, not just the MIME type.
  • Apply a vendor patch or upgrade to a version that eliminates the vulnerability once available; otherwise, block or remove the upload feature until a fix is released.

Generated by OpenCVE AI on March 26, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Plank
Plank laravel-mediable
Vendors & Products Plank
Plank laravel-mediable

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Description plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing executable PHP code while declaring a benign image MIME type, resulting in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, this may lead to remote code execution. At the time of publication, no patch was available and the vendor had not responded to coordinated disclosure attempts.
Title Unsafe Client MIME Type Handling Can Enable Arbitrary File Upload in plank/laravel-mediable
Weaknesses CWE-434
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Plank Laravel-mediable
cve-icon MITRE

Status: PUBLISHED

Assigner: TuranSec

Published:

Updated: 2026-03-26T13:41:27.981Z

Reserved: 2026-03-25T12:35:26.385Z

Link: CVE-2026-4809

cve-icon Vulnrichment

Updated: 2026-03-26T13:41:24.248Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T11:16:21.440

Modified: 2026-03-26T15:13:15.790

Link: CVE-2026-4809

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T08:36:14Z

Weaknesses