CVE-2026-33687

Name of the Vulnerable Software and Affected Versions Sharp versions prior to 9.20.0

Description Sharp, a content management framework for Laravel, has an issue in its file upload functionality. The ApiFormUploadController accepts a client-controlled validation rule parameter that is passed directly to the Laravel validator without adequate server-side checks. An attacker can bypass file type restrictions by manipulating the validation rule parameter to include validation rule[]=file. This allows the upload of arbitrary files, potentially including PHP webshells. The vulnerable code is located in src/Http/Controllers/Api/ApiFormUploadController.php at line 24. If the storage disk is publicly accessible, this could lead to Remote Code Execution (RCE).

Recommendations Versions prior to 9.20.0 should be updated to version 9.20.0 or later, which removes the client-controlled validation rules and enforces upload rules server-side. As a workaround, ensure the storage disk used for Sharp uploads is strictly private.