File Upload Vulnerability in Laravel-Mediable Product by Plank
CVE-2026-49972
7.7HIGH
What is CVE-2026-49972?
The Laravel-Mediable product prior to version 7.0.0 is susceptible to a file upload vulnerability that enables unauthenticated attackers to execute remote code. This occurs when a malicious user uploads a file with a PHP extension concealed within a double extension, such as shell.php.jpg. The vulnerability arises from the PATHINFO_FILENAME extraction method, which retains the inner .php extension in the filename. On improperly configured servers using Apache or Nginx that execute filenames containing .php as PHP scripts, the uploaded file can be interpreted as executable code. This situation is exacerbated by the lack of proper MIME type and extension validation due to the outer .jpg extension.
Affected Version(s)
laravel-mediable 0
