Description
Spatie Laravel Media Library before version 11.23.0 contains a server-side request forgery vulnerability that allows remote attackers to cause the server to issue arbitrary outbound HTTP requests by passing user-controlled URLs to the addMediaFromUrl() method in InteractsWithMedia.php.
Published: 2026-05-29
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spatie Laravel Media Library versions prior to 11.23.0 contain a server‑side request forgery (SSRF) flaw that allows remote attackers to cause the server to issue arbitrary outbound HTTP requests by passing user‑controlled URLs to the addMediaFromUrl() method. The advisory does not detail additional impacts beyond the SSRF capability. The vulnerability is listed as CWE‑918.

Affected Systems

The affected product is spatie/laravel-medialibrary in Laravel applications where the version is older than 11.23.0. Any deployment that uses the addMediaFromUrl() call in InteractsWithMedia.php without proper URL validation is at risk. No additional sub‑version detail was provided by the CNA.

Risk and Exploitability

With a CVSS score of 5.3 the severity is moderate; the EPSS score is unknown and the flaw is not listed in CISA’s KEV catalog, indicating no large‑scale exploits have been documented yet. Based on the description, it is inferred that the vulnerability could be exercised by supplying a malicious URL to the addMediaFromUrl() method via an externally accessible endpoint, causing the application server to make the outbound request. The advisory does not specify prerequisites for exploitation, but the presence of a public method suggests that the flaw could be accessible from the web.

Generated by OpenCVE AI on May 29, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to spatie/laravel‑medialibrary 11.23.0 or later to eliminate the SSRF issue.
  • Remove or disable any code paths that invoke addMediaFromUrl() if the functionality is not required.
  • If an upgrade cannot be performed immediately, implement strict URL validation or allow‑listing before passing values to addMediaFromUrl().
  • Consider blocking or restricting outbound HTTP traffic from the application server through firewall rules or network segmentation.

Generated by OpenCVE AI on May 29, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Spatie
Spatie laravel Media Library
Vendors & Products Spatie
Spatie laravel Media Library

Fri, 29 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Spatie Laravel Media Library before version 11.23.0 contains a server-side request forgery vulnerability that allows remote attackers to cause the server to issue arbitrary outbound HTTP requests by passing user-controlled URLs to the addMediaFromUrl() method in InteractsWithMedia.php.
Title Spatie Laravel Media Library < 11.23.0 SSRF via addMediaFromUrl()
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Spatie Laravel Media Library
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T21:37:53.251Z

Reserved: 2026-05-21T18:34:46.418Z

Link: CVE-2026-48555

cve-icon Vulnrichment

Updated: 2026-05-29T21:37:49.524Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T20:16:28.817

Modified: 2026-05-29T20:21:38.773

Link: CVE-2026-48555

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T22:00:09Z

Weaknesses