Arbitrary File Upload Vulnerability in plank/laravel-mediable Affects Web Applications
CVE-2026-4809

9.3CRITICAL

Key Information:

Vendor

Plank

Vendor
CVE Published:
26 March 2026

What is CVE-2026-4809?

The plank/laravel-mediable package, up to version 6.4.0, is susceptible to an arbitrary file upload vulnerability. This occurs when an application accepts or prioritizes a client-supplied MIME type during file uploads, enabling a remote attacker to submit a file disguised as a benign image while actually containing executable PHP code. If the compromised file is uploaded and stored in an executable directory accessible from the web, it can lead to remote code execution. At present, no patches are available and efforts for coordinated disclosure have not been acknowledged by the vendor.

Affected Version(s)

laravel-mediable <= 6.4.0

References

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Sobirjonov Xurshidbek
.