CVE-2026-33686

Name of the Vulnerable Software and Affected Versions Sharp versions prior to 9.20.0

Description The application does not properly sanitize file extensions, allowing path separators to be passed into the storage layer. The FileUtil::explodeExtension() function in src/Utils/FileUtil.php extracts a file's extension by splitting the filename at the last dot without sanitization. This allows an authenticated attacker to manipulate file paths and potentially write files outside the intended directory or overwrite critical files. The issue is related to the improper handling of file extensions during storage operations.

Recommendations Update to version 9.20.0 or later.