How is CVE-2026-48557 exploited?

Network reachability (required): The attacker must reach the Laravel application's upload endpoint over the network (AV:N). Authentication (required): A low-privilege account with permission to submit a media upload is sufficient (PR:L). Victim interaction (not-required): No user or admin needs to click or open anything; the upload request alone triggers the bypass (UI:N). Attack complexity (info): Attack complexity is low: the bypass is reliable against vulnerable versions, though double-extension execution additionally depends on a legacy Apache AddHandler configuration (AC:L).

What is the impact of CVE-2026-48557?

Writes attacker-controlled files with executable extensions (.php6, .shtml, .htaccess) into media storage, which on misconfigured Apache hosts yields server-side code execution. Reads and exfiltrates anything the PHP process can access, including database credentials, session tokens, and stored customer records (VC:H). Modifies or replaces application files and persisted media, tampering with application integrity (VI:H). Disrupts availability by overwriting critical files or planting resource-exhausting handlers (VA:H).

Back to search

HIGHCVE-2026-48557Published 2026-05-29Modified 2026-05-29CNA VulnCheck

CVE-2026-48557: Spatie Laravel Media Library < 11.23.0 File Upload Restriction Bypass via FileAdder.php

Q: What is CVE-2026-48557?

A file-upload restriction bypass in Spatie Laravel Media Library (before 11.23.0) lets an authenticated user smuggle dangerous file types past the sanitizer in FileAdder::defaultSanitizer(), which only inspects the final filename suffix and omits extensions like .php6, .shtml, and .htaccess from its blocklist. The flaw is reachable over the network by any account with upload privileges and, depending on the web server configuration, can lead to server-side code execution and full compromise of stored data and application integrity. A patched-image rebuild at 11.23.0 is available on HarborGuard for affected environments.

Q: How is CVE-2026-48557 fixed?

A patched-image rebuild at laravel-medialibrary 11.23.0 is available on HarborGuard for any affected base or application image. For customers who opt into auto-remediation, the rebuild is produced automatically, regression tests are executed against the new image, and a pull request is opened against the workloads that consume it.

Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer(). The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo() preserving inner .php stems in saved filenames. The blocklist also omits executable extensions including .php6, .shtml, and .htaccess. The double-extension bypass requires a legacy Apache AddHandler configuration to achieve PHP execution; the incomplete blocklist bypass does not.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A file-upload restriction bypass in Spatie Laravel Media Library (before 11.23.0) lets an authenticated user smuggle dangerous file types past the sanitizer in FileAdder::defaultSanitizer(), which only inspects the final filename suffix and omits extensions like .php6, .shtml, and .htaccess from its blocklist. The flaw is reachable over the network by any account with upload privileges and, depending on the web server configuration, can lead to server-side code execution and full compromise of stored data and application integrity. A patched-image rebuild at 11.23.0 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI pipelines, including custom-built images that vendor laravel-medialibrary via Composer. Package-level matching catches the affected versions whether the dependency is declared directly or pulled in transitively.

Available

Triage

Triage scoring is available using the published CVSS v4.0 score of 8.7 (High), then re-weighted against each customer organization's compliance policy (for example, environments with stricter file-upload or PCI controls escalate this further). Findings route automatically to the appropriate inbox or ticket queue inside each customer org based on image ownership.

Available

Patch

A patched-image rebuild at laravel-medialibrary 11.23.0 is available on HarborGuard for any affected base or application image. For customers who opt into auto-remediation, the rebuild is produced automatically, regression tests are executed against the new image, and a pull request is opened against the workloads that consume it.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Laravel application's upload endpoint over the network (AV:N).
AuthenticationRequired
A low-privilege account with permission to submit a media upload is sufficient (PR:L).
Victim interactionNot required
No user or admin needs to click or open anything; the upload request alone triggers the bypass (UI:N).
Attack complexityDetail
Attack complexity is low: the bypass is reliable against vulnerable versions, though double-extension execution additionally depends on a legacy Apache AddHandler configuration (AC:L).

Blast Radius

Writes attacker-controlled files with executable extensions (.php6, .shtml, .htaccess) into media storage, which on misconfigured Apache hosts yields server-side code execution.
Reads and exfiltrates anything the PHP process can access, including database credentials, session tokens, and stored customer records (VC:H).
Modifies or replaces application files and persisted media, tampering with application integrity (VI:H).
Disrupts availability by overwriting critical files or planting resource-exhausting handlers (VA:H).

How HarborGuard Handles This

Available on HarborGuard: a patched-image rebuild at laravel-medialibrary 11.23.0 is generated for affected images, and for environments with auto-remediation enabled the rebuild flows through regression testing and into an automatically opened pull request against the workloads that use it. Median time from CVE publication to a merged patch PR for high-severity issues like this is around 90 minutes in auto-remediation environments. Where compliance policy blocks automatic merges, the rebuilt image and PR are still prepared and held for human approval, and teams running on Apache should additionally audit AddHandler and mod_mime directives to disable execution of files based on inner extensions.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 11.23.0
Affected Products: 1

Fix available

11.23.0

Patch commits

github.com

Affected packages

spatie / laravel-medialibrary
< 11.23.0 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available