CVE-2026-33687
File Upload Validation Bypass in Sharp CMS Prior to
Publication date: 2026-03-26
Last updated on: 2026-04-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code16 | sharp | to 9.20.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the file upload endpoint in Sharp versions prior to 9.20.0, where an authenticated user can bypass file type restrictions by sending a manipulated validation_rule parameter.
To detect this vulnerability on your system, you can monitor HTTP requests to the ApiFormUploadController upload endpoint for the presence of the parameter validation_rule[]=file.
For example, you can use network traffic inspection tools or web server logs to search for requests containing validation_rule[]=file.
- Using grep on web server logs: grep 'validation_rule[]=file' /path/to/access.log
- Using tcpdump or tshark to capture HTTP POST requests and filter for validation_rule[]=file in the payload.
- Using a web application firewall (WAF) or intrusion detection system (IDS) to alert on requests containing the validation_rule parameter with suspicious values.
Additionally, verifying the Sharp package version installed on your system can help determine if the vulnerability is present. Versions prior to 9.20.0 are vulnerable.
Can you explain this vulnerability to me?
This vulnerability exists in the Sharp content management framework for Laravel, specifically in versions prior to 9.20.0. It affects the file upload endpoint in the ApiFormUploadController, where an authenticated user can bypass all file type restrictions by manipulating the client-controlled validation_rule parameter. By sending validation_rule[]=file, the attacker can bypass MIME type and file extension checks because the parameter is passed directly into the Laravel validator without sufficient server-side enforcement.
The issue was fixed in version 9.20.0 by removing the client-controlled validation rules and enforcing strict server-side upload rules.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to upload files without any restriction on file type, potentially including malicious files. This could lead to unauthorized file uploads that might compromise the system's confidentiality, integrity, and availability.
However, under default configurations, an attacker cannot directly execute uploaded PHP files unless the storage disk used for Sharp uploads is configured as public rather than private.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Sharp to version 9.20.0 or later, where the issue has been fixed by removing client-controlled validation rules and enforcing strict server-side upload rules.
As a workaround, ensure that the storage disk used for Sharp uploads is configured as strictly private to prevent execution of uploaded files.
Avoid using a public disk configuration for uploads, as this could allow attackers to execute uploaded PHP files.