PT-2026-41221 · Packagist · Mckenziearts/Livewire-Markdown-Editor
Published
2026-05-04
·
Updated
2026-05-04
CVSS v3.1
7.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N |
Impact
All versions of
mckenziearts/livewire-markdown-editor prior to v1.3 contain a critical arbitrary file upload vulnerability in the MarkdownEditor::updatedAttachments() Livewire handler. The handler calls $file->store() with no server-side validation of MIME type, extension, or file content.Any authenticated user with access to a page embedding
<livewire:markdown-editor> can upload files of any type (.html, .svg, .js, .php, .exe, etc.) to the disk configured by livewire-markdown-editor.disk. When that disk is a public cloud bucket (S3, DigitalOcean Spaces, Cloudflare R2, Scaleway Object Storage — the common configuration when FILESYSTEM DISK points to such a disk), uploaded files are served publicly with a guessed Content-Type header.The consequences include:
- Stored XSS on the storage domain via uploaded
.htmlor.svgfiles - Phishing page hosting on the application's own storage domain (trust laundering)
- Malware distribution from a domain users associate with the application
- Markdown injection in the editor output via crafted filenames (the client-supplied
getClientOriginalName()value was inserted verbatim into the markdown)
A real-world exploitation of this vulnerability was observed in production on a community platform using this package.
Patches
Upgrade to v1.3 or later.
Workarounds
If developers cannot upgrade immediately, disable the upload UI on every instance of the editor by passing
:show-upload="false":blade
<livewire:markdown-editor wire:model="content" :show-upload="false" />This hides the file input and prevents the vulnerable code path from being reached.
Resources
Fix
Unrestricted File Upload
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Mckenziearts/Livewire-Markdown-Editor