Description
Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer(). The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo() preserving inner .php stems in saved filenames. The blocklist also omits executable extensions including .php6, .shtml, and .htaccess. The double-extension bypass requires a legacy Apache AddHandler configuration to achieve PHP execution; the incomplete blocklist bypass does not.
Published: 2026-05-29
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Spatie Laravel Media Library older than 11.23.0, where the default sanitizer in FileAdder::defaultSanitizer() only checks the last suffix of a filename. Attackers can craft double‑extension names such as shell.php.jpg that bypass the blocklist. The sanitizer also fails to block several executable extensions like .php6, .shtml, and .htaccess. If the web server uses a legacy Apache AddHandler mapping that treats the outer extension as executable, the bypass allows arbitrary PHP execution. Even without that configuration, the flaw still allows an attacker to store files with dangerous extensions on the filesystem.

Affected Systems

All installations of the Spatie Laravel Media Library package with a version earlier than 11.23.0 are impacted. The vulnerability is tied to the PHP library provided by spatie, not to any specific Laravel framework version.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. The exploit requires an attacker to upload a crafted file, and success depends on server configuration – the risk is significant on legacy Apache setups that map image extensions to the PHP handler. The EPSS score is not available, and the vulnerability is not listed in KEV, suggesting it has not yet been widely exploited in the wild, but the potential for critical impact remains.

Generated by OpenCVE AI on May 29, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spatie Laravel Media Library to version 11.23.0 or later.
  • Modify the web server configuration to prevent execution of files with disallowed extensions or remove legacy AddHandler directives that map image extensions to PHP.
  • Implement additional server‑side validation to reject filenames containing multiple extensions before processing.

Generated by OpenCVE AI on May 29, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Spatie
Spatie laravel Media Library
Vendors & Products Spatie
Spatie laravel Media Library

Fri, 29 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer(). The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo() preserving inner .php stems in saved filenames. The blocklist also omits executable extensions including .php6, .shtml, and .htaccess. The double-extension bypass requires a legacy Apache AddHandler configuration to achieve PHP execution; the incomplete blocklist bypass does not.
Title Spatie Laravel Media Library < 11.23.0 File Upload Restriction Bypass via FileAdder.php
Weaknesses CWE-184
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Spatie Laravel Media Library
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T20:19:50.229Z

Reserved: 2026-05-21T18:34:46.418Z

Link: CVE-2026-48557

cve-icon Vulnrichment

Updated: 2026-05-29T20:19:47.104Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T20:16:28.957

Modified: 2026-05-29T20:21:38.773

Link: CVE-2026-48557

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T22:00:09Z

Weaknesses