CVE-2026-4809

Name of the Vulnerable Software and Affected Versions plank/laravel-mediable versions through 6.4.0

Description The software is susceptible to arbitrary file upload when it accepts or prefers a client-supplied MIME type during file upload handling. An attacker can submit a file containing executable PHP code while declaring a benign image MIME type. If the uploaded file is stored in a web-accessible and executable location, this can lead to remote code execution. The API endpoint used for file uploads is not specified. The vulnerable parameter is the MIME type provided by the client during file upload, specifically the file parameter. At the time of publication, no patch was available, and the vendor had not responded to coordinated disclosure attempts.

Recommendations Versions prior to 6.4.0 should not be used. At the moment, there is no information about a newer version that contains a fix for this vulnerability.