PT-2026-41221 · Packagist · Mckenziearts/Livewire-Markdown-Editor
Publicado
2026-05-04
·
Atualizado
2026-05-04
CVSS v3.1
7.1
Alta
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N |
Impact
All versions of
mckenziearts/livewire-markdown-editor prior to v1.3 contain a critical arbitrary file upload vulnerability in the MarkdownEditor::updatedAttachments() Livewire handler. The handler calls $file->store() with no server-side validation of MIME type, extension, or file content.Any authenticated user with access to a page embedding
<livewire:markdown-editor> can upload files of any type (.html, .svg, .js, .php, .exe, etc.) to the disk configured by livewire-markdown-editor.disk. When that disk is a public cloud bucket (S3, DigitalOcean Spaces, Cloudflare R2, Scaleway Object Storage — the common configuration when FILESYSTEM DISK points to such a disk), uploaded files are served publicly with a guessed Content-Type header.The consequences include:
- Stored XSS on the storage domain via uploaded
.htmlor.svgfiles - Phishing page hosting on the application's own storage domain (trust laundering)
- Malware distribution from a domain users associate with the application
- Markdown injection in the editor output via crafted filenames (the client-supplied
getClientOriginalName()value was inserted verbatim into the markdown)
A real-world exploitation of this vulnerability was observed in production on a community platform using this package.
Patches
Upgrade to v1.3 or later.
Workarounds
If developers cannot upgrade immediately, disable the upload UI on every instance of the editor by passing
:show-upload="false":blade
<livewire:markdown-editor wire:model="content" :show-upload="false" />This hides the file input and prevents the vulnerable code path from being reached.
Resources
Correção
Unrestricted File Upload
XSS
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Mckenziearts/Livewire-Markdown-Editor