Szczepan Hołyszewski

**Name of the Vulnerable Software and Affected Versions** Carbon versions prior to 3.8.4 Carbon versions prior to 2.72.6 **Description** The issue arises when applications pass unsanitized user input to `Carbon::setLocale`, putting them at risk of arbitrary file inclusion. If the application allows users to upload files with a `.php` extension in a folder that permits `include` or `require` to read it, they are at risk of arbitrary code execution on their servers. **Recommendations** For versions prior to 3.8.4, update to version 3.8.4 or later. For versions prior to 2.72.6, update to version 2.72.6 or later. As a temporary workaround, consider validating input before calling `setLocale()`, such as forbidding or removing `/` and ``. Alternatively, call `setLocale()` only with a locale from a whitelist of supported locales. When uploading files, rename them so they cannot have a `.php` extension. Prefer storage systems that are not local to the application, such as remote services or local services run by another user.