File Upload Vulnerability in Laravel-Mediable Product by Plank
CVE-2026-49972

7.7HIGH

Key Information:

Vendor

Plank

Vendor
CVE Published:
13 July 2026

What is CVE-2026-49972?

The Laravel-Mediable product prior to version 7.0.0 is susceptible to a file upload vulnerability that enables unauthenticated attackers to execute remote code. This occurs when a malicious user uploads a file with a PHP extension concealed within a double extension, such as shell.php.jpg. The vulnerability arises from the PATHINFO_FILENAME extraction method, which retains the inner .php extension in the filename. On improperly configured servers using Apache or Nginx that execute filenames containing .php as PHP scripts, the uploaded file can be interpreted as executable code. This situation is exacerbated by the lack of proper MIME type and extension validation due to the outer .jpg extension.

Affected Version(s)

laravel-mediable 0

References

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Xurshidbek Sobirjonov
VulnCheck
.