PT-2026-57850 · Unknown · Laravel-Mediable

Vulncheck

+1

·

Published

2026-07-13

·

Updated

2026-07-13

·

CVE-2026-49972

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Laravel-Mediable versions prior to 7.0.0
Description An issue exists where unauthenticated attackers can achieve remote code execution by uploading files with double extensions, such as shell.php.jpg. The PATHINFO FILENAME extraction preserves the inner .php extension in the base name. On misconfigured Apache or nginx servers that execute any filename containing .php as PHP, the stored file is interpreted as executable code. This occurs because the outer .jpg extension allows the file to bypass MIME type, extension, and aggregate type validation checks.
Recommendations Update Laravel-Mediable to version 7.0.0 or later.

Fix

RCE

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-49972

Affected Products

Laravel-Mediable