PT-2026-57847 · Unknown · Laravel-Mediable

Vulncheck

+1

·

Published

2026-07-13

·

Updated

2026-07-13

·

CVE-2026-49969

CVSS v3.1

7.4

High

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Name of the Vulnerable Software and Affected Versions Laravel-Mediable versions prior to 7.0.0
Description An issue allows remote attackers to issue arbitrary HTTP requests from the server by providing unvalidated URLs to endpoints that use the MediaUploader::fromSource() function. Through the RemoteUrlAdapter, attackers can target RFC-1918 addresses (private IP addresses used in local networks), loopback interfaces, cloud metadata endpoints, or file:// URIs. This can lead to access to internal infrastructure, retrieval of sensitive files, and exfiltration of cloud credentials, such as IAM tokens from instance metadata services.
Recommendations Update Laravel-Mediable to version 7.0.0 or later.

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-49969

Affected Products

Laravel-Mediable