File Upload Vulnerability in Sharp Content Management Framework for Laravel
CVE-2026-33687

8.8HIGH

Key Information:

Vendor

Code16

Status
Sharp
Vendor
CVE Published:
26 March 2026

What is CVE-2026-33687?

The Sharp content management framework for Laravel has a vulnerability in its file upload system that allows authenticated users to bypass file type restrictions. The validation_rule parameter can be manipulated, enabling an attacker to upload files that may contain malicious content. This issue arises from insufficient server-side validation of the validation_rule parameter in the ApiFormUploadController, potentially leading to unauthorized file uploads. The vulnerability has been resolved in version 9.20.0, which enforces server-side controls for upload rules. To mitigate risks before updating, it is recommended that users ensure their storage configurations are set to private.

Affected Version(s)

sharp < 9.20.0

References

https://github.com/code16/sharp/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/code16/sharp/pull/714
x_refsource_MISC
https://github.com/code16/sharp/releases/tag/v9.20.0
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.