File Upload Restriction Bypass in Spatie Laravel Media Library
CVE-2026-48557

8.7HIGH

Key Information:

Vendor

Spatie

Status
Laravel-medialibrary
Vendor
CVE Published:
29 May 2026

What is CVE-2026-48557?

The Spatie Laravel Media Library before version 11.23.0 is susceptible to a file upload restriction bypass due to an inadequacy in FileAdder::defaultSanitizer(). This vulnerability allows malicious actors to exploit the sanitizer's reliance on the final filename suffix, enabling double-extension filenames, such as shell.php.jpg, to evade the blocklist. Additionally, the blocklist fails to address executable extensions like .php6, .shtml, and .htaccess, heightening security concerns. Successful exploitation requires specific configurations, including a legacy Apache AddHandler, to execute PHP files, although the vulnerability's nature allows for potential risks even without such settings.

Affected Version(s)

laravel-medialibrary 0

References

https://github.com/spatie/laravel-medialibrary/releases/t...
release-notes
https://github.com/spatie/laravel-medialibrary/pull/3939
issue-tracking
https://github.com/spatie/laravel-medialibrary/commit/608...
patch

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Xurshidbek Sobirjonov
VulnCheck
.