Lucene search
+L

29 matches found

NVD
NVD
added 5 days ago8 views

CVE-2026-49971

Laravel-Mediable before 7.0.0 contains a stored cross-site scripting vulnerability that allows authenticated or anonymous users to execute arbitrary JavaScript by uploading unsanitized SVG files containing embedded scripts in onload event handlers, script tags, or foreignObject elements. Attacker...

6.1CVSS0.00203EPSS
Exploits0References3
NVD
NVD
added 5 days ago7 views

CVE-2026-49972

Laravel-Mediable before 7.0.0 contains a file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading a file with an embedded PHP extension disguised within a double extension such as shell.php.jpg. The PATHINFOFILENAME extraction preserves the inn...

8.8CVSS0.00777EPSS
Exploits0References3
NVD
NVD
added 5 days ago11 views

CVE-2026-49970

Laravel-Mediable before 7.0.0 contains a path traversal vulnerability in the File::sanitizePath function that allows attackers to write uploaded files to arbitrary locations by controlling the directory argument passed to MediaUploader::toDestination. Attackers can exploit the permissive...

8.8CVSS0.00771EPSS
Exploits0References3
NVD
NVD
added 5 days ago10 views

CVE-2026-49969

Laravel-Mediable before 7.0.0 contains a server-side request forgery vulnerability that allows remote attackers to issue arbitrary HTTP requests from the server by supplying unvalidated caller-controlled URLs to endpoints backed by MediaUploader::fromSource. Attackers can craft URLs targeting...

7.4CVSS0.00241EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 5 days ago2 views

CVE-2026-49972

Laravel-Mediable before 7.0.0 contains a file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading a file with an embedded PHP extension disguised within a double extension such as shell.php.jpg. The PATHINFOFILENAME extraction preserves the inn...

8.8CVSS6.5AI score0.00777EPSS
Exploits0References4
Cvelist
Cvelist
added 5 days ago35 views

CVE-2026-49972 Laravel-Mediable < 7.0.0 File Upload RCE via Extension Bypass

Laravel-Mediable before 7.0.0 contains a file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading a file with an embedded PHP extension disguised within a double extension such as shell.php.jpg. The PATHINFOFILENAME extraction preserves the inn...

8.8CVSS0.00777EPSS
Exploits0References3
CVE
CVE
added 5 days ago11 views

CVE-2026-49972

CVE-2026-49972 affects Laravel-Mediable prior to 7.0.0. A file upload vulnerability enables unauthenticated remote code execution via a double extension (e.g., shell.php.jpg). The attacker relies on PATHINFO_FILENAME preserving the inner .php extension in the base name, and on misconfigured serve...

8.8CVSS6.5AI score0.00777EPSS
Exploits0References3
OSV
OSV
added 5 days ago4 views

CVE-2026-49972 Laravel-Mediable < 7.0.0 File Upload RCE via Extension Bypass

Laravel-Mediable before 7.0.0 contains a file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading a file with an embedded PHP extension disguised within a double extension such as shell.php.jpg. The PATHINFOFILENAME extraction preserves the inn...

7.7CVSS6.5AI score0.00777EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 5 days ago4 views

CVE-2026-49971

Laravel-Mediable before 7.0.0 contains a stored cross-site scripting vulnerability that allows authenticated or anonymous users to execute arbitrary JavaScript by uploading unsanitized SVG files containing embedded scripts in onload event handlers, script tags, or foreignObject elements. Attacker...

6.1CVSS6.3AI score0.00203EPSS
Exploits0References4
CVE
CVE
added 5 days ago12 views

CVE-2026-49971

Laravel-Mediable before 7.0.0 has a stored XSS in SVG file uploads. Both authenticated and anonymous users can upload unsanitized SVG files containing scripts (onload handlers, script tags, or foreignObject) which can store persistent XSS payloads. When victims view or preview the SVG, the payloa...

6.1CVSS6.3AI score0.00203EPSS
Exploits0References3
Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-49971 Laravel-Mediable < 7.0.0 Stored XSS via SVG File Upload

Laravel-Mediable before 7.0.0 contains a stored cross-site scripting vulnerability that allows authenticated or anonymous users to execute arbitrary JavaScript by uploading unsanitized SVG files containing embedded scripts in onload event handlers, script tags, or foreignObject elements. Attacker...

6.1CVSS0.00203EPSS
Exploits0References3
Cvelist
Cvelist
added 5 days ago33 views

CVE-2026-49970 Laravel-Mediable < 7.0.0 Path Traversal via File::sanitizePath()

Laravel-Mediable before 7.0.0 contains a path traversal vulnerability in the File::sanitizePath function that allows attackers to write uploaded files to arbitrary locations by controlling the directory argument passed to MediaUploader::toDestination. Attackers can exploit the permissive...

8.8CVSS0.00771EPSS
Exploits0References3
CVE
CVE
added 5 days ago13 views

CVE-2026-49970

Vulnerability summary: Laravel-Mediable before 7.0.0 contains a path traversal flaw in File::sanitizePath() that lets attackers write uploaded files to arbitrary locations via MediaUploader::toDestination(), due to a permissive regex allowing dot/slash and a weak trailing trim. This can enable re...

8.8CVSS6.3AI score0.00771EPSS
Exploits0References3
OSV
OSV
added 5 days ago5 views

CVE-2026-49970 Laravel-Mediable < 7.0.0 Path Traversal via File::sanitizePath()

Laravel-Mediable before 7.0.0 contains a path traversal vulnerability in the File::sanitizePath function that allows attackers to write uploaded files to arbitrary locations by controlling the directory argument passed to MediaUploader::toDestination. Attackers can exploit the permissive...

8.7CVSS6.3AI score0.00771EPSS
Exploits0References6
Cvelist
Cvelist
added 5 days ago35 views

CVE-2026-49969 Laravel-Mediable < 7.0.0 SSRF via RemoteUrlAdapter URL Handling

Laravel-Mediable before 7.0.0 contains a server-side request forgery vulnerability that allows remote attackers to issue arbitrary HTTP requests from the server by supplying unvalidated caller-controlled URLs to endpoints backed by MediaUploader::fromSource. Attackers can craft URLs targeting...

7.4CVSS0.00241EPSS
Exploits0References3
CVE
CVE
added 5 days ago11 views

CVE-2026-49969

Vulnerability overview: Laravel-Mediable

7.4CVSS6.2AI score0.00241EPSS
Exploits0References3
OSV
OSV
added 5 days ago5 views

CVE-2026-49969 Laravel-Mediable < 7.0.0 SSRF via RemoteUrlAdapter URL Handling

Laravel-Mediable before 7.0.0 contains a server-side request forgery vulnerability that allows remote attackers to issue arbitrary HTTP requests from the server by supplying unvalidated caller-controlled URLs to endpoints backed by MediaUploader::fromSource. Attackers can craft URLs targeting...

5.3CVSS6.2AI score0.00241EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 5 days ago6 views

PT-2026-57850

Name of the Vulnerable Software and Affected Versions Laravel-Mediable versions prior to 7.0.0 Description An issue exists where unauthenticated attackers can achieve remote code execution by uploading files with double extensions, such as shell.php.jpg. The PATHINFO FILENAME extraction preserves...

8.8CVSS6.5AI score0.00777EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/03/27 5:9 p.m.6 views

CVE-2026-4809

plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing executable PHP code while...

10CVSS6.2AI score0.01279EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/26 12:30 p.m.6 views

EUVD-2026-16164

plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing executable PHP code while...

10CVSS6.2AI score0.01279EPSS
Exploits0References4
Rows per page
Query Builder