CVE-2026-44692

Sharp is a content management framework built for Laravel as a package. Prior to version 9.22.0, Sharp exposes a generic download endpoint that authorizes access only to the supplied Sharp entity instance, but then reads the target storage disk and path from request parameters. Because the...

Sharp has Unrestricted File Upload via Client-Controlled Validation Rules

Summary The code16/sharp Laravel admin panel package contains a vulnerability in its file upload endpoint that allows authenticated users to bypass all file type restrictions. Details The upload endpoint within the ApiFormUploadController accepts a client-controlled validationrule parameter. This...

PT-2026-28177

Name of the Vulnerable Software and Affected Versions Sharp versions prior to 9.20.0 Description The application does not properly sanitize file extensions, allowing path separators to be passed into the storage layer. The FileUtil::explodeExtension function in src/Utils/FileUtil.php extracts a...

org.webjars.npm:canvas (>=2.5.0 <=2.6.0), org.webjars.npm:color-thief (=2.2.5) +12 more potentially affected by CVE-2026-29786 via org.webjars.npm:tar (>=0.1.20 <=4.4.19)

org.webjars.npm:tar MAVEN version =0.1.20, =2.5.0, =0.97.5, =0.2.0, =3.4.0, =0.6.19, =2.0.0, =3.1.4, =3.4.1 - org.webjars.npm:tar.gz =1.0.7 Source cves: CVE-2026-29786 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15416076...

CVE-2022-29256

sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at npm install time when installing versions of sharp prior to the latest v0.30.5. If an attacker has the ability to set the value of the PKGCONFIGPATH...