Stored Cross-Site Scripting Vulnerability in Laravel-Mediable Product by Plank
CVE-2026-49971

5.3MEDIUM

Key Information:

Vendor

Plank

Vendor
CVE Published:
13 July 2026

What is CVE-2026-49971?

Laravel-Mediable prior to version 7.0.0 is susceptible to a stored cross-site scripting vulnerability. This flaw permits both authenticated and unauthenticated users to upload unsanitized SVG files containing malicious JavaScript. When such SVG files are stored, attackers can embed scripts within onload event handlers, script tags, or foreignObject elements. The malicious scripts execute automatically when the file is opened or previewed, granting the attacker full access to the DOM, which can lead to session cookie theft, CSRF token capture, and potential account takeovers.

Affected Version(s)

laravel-mediable 0

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Xurshidbek Sobirjonov
VulnCheck
.