PT-2026-57849 · Unknown · Laravel-Mediable
Vulncheck
+1
·
Published
2026-07-13
·
Updated
2026-07-13
·
CVE-2026-49971
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Laravel-Mediable versions prior to 7.0.0
Description
Stored cross-site scripting occurs when authenticated or anonymous users upload unsanitized SVG files containing embedded scripts in
onload event handlers, script tags, or foreignObject elements. These persistent payloads execute with full DOM access when a victim opens or previews the file, which can lead to session cookie theft, CSRF token capture, and account takeover.Recommendations
Update Laravel-Mediable to version 7.0.0 or later.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Laravel-Mediable