PT-2026-44978 · Spatie · Laravel-Medialibrary
Vulncheck
+1
·
Published
2026-05-29
·
Updated
2026-05-29
·
CVE-2026-48555
CVSS v3.1
7.4
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Spatie Laravel Media Library versions prior to 11.23.0
Description
An issue exists that allows remote attackers to cause the server to issue arbitrary outbound HTTP requests. This occurs when user-controlled URLs are passed to the
addMediaFromUrl() function within the InteractsWithMedia.php file. This is a server-side request forgery, which is a flaw where an attacker can force a server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.Recommendations
Update to version 11.23.0 or later.
As a temporary workaround, restrict or validate user-controlled URLs passed to the
addMediaFromUrl() function.Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Laravel-Medialibrary