Path Traversal Vulnerability in Laravel-Mediable by Plank
CVE-2026-49970

8.7HIGH

Key Information:

Vendor

Plank

Vendor
CVE Published:
13 July 2026

What is CVE-2026-49970?

The Laravel-Mediable package prior to version 7.0.0 is susceptible to a path traversal vulnerability rooted in the File::sanitizePath() function. This flaw allows attackers to manipulate the directory argument in the MediaUploader::toDestination() method, leading to arbitrary file uploads. This exploitation arises from a permissive regex that inadvertently allows both dot and slash characters, compounded by an ineffective trailing trim() call, which bypasses intended sanitization measures. As a result, attackers can upload files to sensitive directories such as the document root and configuration files, potentially leading to remote code execution within the affected applications.

Affected Version(s)

laravel-mediable 0

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Xurshidbek Sobirjonov
VulnCheck
.