Server-Side Request Forgery Vulnerability in Spatie Laravel Media Library
CVE-2026-48555

5.3MEDIUM

Key Information:

Vendor

Spatie

Status
Laravel-medialibrary
Vendor
CVE Published:
29 May 2026

What is CVE-2026-48555?

The Spatie Laravel Media Library prior to version 11.23.0 is susceptible to a server-side request forgery vulnerability. This issue arises when user-controlled URLs are passed to the addMediaFromUrl() method in the InteractsWithMedia.php file. By exploiting this vulnerability, remote attackers can manipulate the server into making arbitrary outbound HTTP requests, potentially leading to unauthorized access or data leakage. Users are strongly advised to upgrade to the latest version to mitigate this risk.

Affected Version(s)

laravel-medialibrary 0

References

https://github.com/spatie/laravel-medialibrary/releases/t...
release-notes
https://github.com/spatie/laravel-medialibrary/pull/3939
issue-tracking
https://github.com/spatie/laravel-medialibrary/commit/608...
patch

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Xurshidbek Sobirjonov
VulnCheck
.