Server-Side Request Forgery in Laravel-Mediable by Plank
CVE-2026-49969
5.3MEDIUM
What is CVE-2026-49969?
Laravel-Mediable prior to version 7.0.0 is susceptible to a server-side request forgery (SSRF) vulnerability that could be exploited by remote attackers. By providing unvalidated caller-controlled URLs to endpoints utilizing MediaUploader::fromSource(), attackers can manipulate requests to sensitive internal services. This may include targeting private RFC-1918 addresses, loopback interfaces, or potentially harmful file:// URIs through the RemoteUrlAdapter. The vulnerability allows attackers to infiltrate the internal infrastructure, access sensitive files, and potentially extract critical cloud credentials, such as IAM tokens from instance metadata services.
Affected Version(s)
laravel-mediable 0
