CVE-2026-33687

Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that allows authenticated users to bypass all file type restrictions. The upload endpoint within the ApiFormUploadController accepts a...

CVE-2026-33686 Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil

Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability in the FileUtil class. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer. In...

CVE-2026-33687

Sharp (code16/sharp) is a Laravel package where versions before 9.20.0 have an Arbitrary File Upload vulnerability in ApiFormUploadController. A client-controlled validation_rule is passed directly to Laravel’s validator, allowing an attacker to bypass all MIME type and file extension checks (e.g...

CVE-2025-62798

Sharp is a content management framework built for Laravel as a package. Prior to 9.11.1, a Cross-Site Scripting XSS vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affected versions, expressions wrapped in & were evaluated by Vue. Thi...

CVE-2025-62798 Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax

Sharp is a content management framework built for Laravel as a package. Prior to 9.11.1, a Cross-Site Scripting XSS vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affected versions, expressions wrapped in & were evaluated by Vue. Thi...

PT-2025-44216

Name of the Vulnerable Software and Affected Versions Sharp versions prior to 9.11.1 Description Sharp, a content management framework for Laravel, contains a Cross-Site Scripting XSS issue in the SharpShowTextField component. Prior to version 9.11.1, expressions enclosed in & were processed by...