CVE-2026-33687

Sharp (code16/sharp) is a Laravel package where versions before 9.20.0 have an Arbitrary File Upload vulnerability in ApiFormUploadController. A client-controlled validation_rule is passed directly to Laravel’s validator, allowing an attacker to bypass all MIME type and file extension checks (e.g...

CVE-2026-33686

CVE-2026-33686 affects the Sharp Laravel package. Versions before 9.20.0 are vulnerable to a path traversal via the FileUtil::explodeExtension() function, which incorrectly sanitizes file extensions and can allow path separators to reach storage. The issue is resolved in 9.20.0 by using pathinfo(...