PT-2026-57848 · Unknown · Laravel-Mediable

Vulncheck

+1

·

Published

2026-07-13

·

Updated

2026-07-13

·

CVE-2026-49970

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Laravel-Mediable versions prior to 7.0.0
Description An issue exists in the File::sanitizePath() function that allows attackers to write uploaded files to arbitrary locations. This is possible by controlling the directory argument passed to MediaUploader::toDestination(). The flaw stems from a permissive character-class regex that allows both dot and slash characters, combined with an ineffective trailing trim() call, which bypasses sanitization. This can lead to files being uploaded to sensitive locations such as the document root, environment configuration files, or application configuration directories, potentially enabling remote code execution.
Recommendations Update Laravel-Mediable to version 7.0.0 or later.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-49970

Affected Products

Laravel-Mediable