Plank · Laravel-Mediable · CVE-2026-4809
**Name of the Vulnerable Software and Affected Versions**
plank/laravel-mediable versions through 6.4.0
**Description**
The software is susceptible to arbitrary file upload when it accepts or prefers a client-supplied MIME type during file upload handling. An attacker can submit a file containing executable PHP code while declaring a benign image MIME type. If the uploaded file is stored in a web-accessible and executable location, this can lead to remote code execution. The **API endpoint** used for file uploads is not specified. The vulnerable parameter is the MIME type provided by the client during file upload, specifically the `file` parameter. At the time of publication, no patch was available, and the vendor had not responded to coordinated disclosure attempts.
**Recommendations**
Versions prior to 6.4.0 should not be used.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.