CVE-2026-48557

Name of the Vulnerable Software and Affected Versions Spatie Laravel Media Library versions prior to 11.23.0

Description A file upload restriction bypass exists in the defaultSanitizer() function of the FileAdder class. The sanitizer only validates the final filename suffix, which allows files with double extensions, such as shell.php.jpg, to bypass the blocklist because pathinfo() preserves inner stems in the saved filenames. Additionally, the blocklist fails to include several executable extensions, such as .php6, .shtml, and .htaccess. While the double-extension bypass requires a legacy Apache AddHandler configuration to execute PHP, the bypass involving the incomplete blocklist does not.

Recommendations Update to version 11.23.0 or later.