CVE-2026-33687
Received Received - Intake
File Upload Validation Bypass in Sharp CMS Prior to

Publication date: 2026-03-26

Last updated on: 2026-04-02

Assigner: GitHub, Inc.

Description
Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that allows authenticated users to bypass all file type restrictions. The upload endpoint within the `ApiFormUploadController` accepts a client-controlled `validation_rule` parameter. This parameter is directly passed into the Laravel validator without sufficient server-side enforcement. By intercepting the request and sending `validation_rule[]=file`, an attacker can completely bypass all MIME type and file extension restrictions. This issue has been addressed in version 9.20.0 by removing the client-controlled validation rules and strictly defining upload rules server-side. As a workaround, ensure that the storage disk used for Sharp uploads is strictly private. Under default configurations, an attacker cannot directly execute uploaded PHP files unless a public disk configuration is explicitly used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33687
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
code16 sharp to 9.20.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Sharp content management framework for Laravel, specifically in versions prior to 9.20.0. It affects the file upload endpoint in the ApiFormUploadController, where an authenticated user can bypass all file type restrictions by manipulating the client-controlled validation_rule parameter. By sending validation_rule[]=file, the attacker can bypass MIME type and file extension checks because the parameter is passed directly into the Laravel validator without sufficient server-side enforcement.

The issue was fixed in version 9.20.0 by removing the client-controlled validation rules and enforcing strict server-side upload rules.

Detection Guidance

This vulnerability involves the file upload endpoint in Sharp versions prior to 9.20.0, where an authenticated user can bypass file type restrictions by sending a manipulated validation_rule parameter.

To detect this vulnerability on your system, you can monitor HTTP requests to the ApiFormUploadController upload endpoint for the presence of the parameter validation_rule[]=file.

For example, you can use network traffic inspection tools or web server logs to search for requests containing validation_rule[]=file.

  • Using grep on web server logs: grep 'validation_rule[]=file' /path/to/access.log
  • Using tcpdump or tshark to capture HTTP POST requests and filter for validation_rule[]=file in the payload.
  • Using a web application firewall (WAF) or intrusion detection system (IDS) to alert on requests containing the validation_rule parameter with suspicious values.

Additionally, verifying the Sharp package version installed on your system can help determine if the vulnerability is present. Versions prior to 9.20.0 are vulnerable.

Impact Analysis

This vulnerability allows an authenticated attacker to upload files without any restriction on file type, potentially including malicious files. This could lead to unauthorized file uploads that might compromise the system's confidentiality, integrity, and availability.

However, under default configurations, an attacker cannot directly execute uploaded PHP files unless the storage disk used for Sharp uploads is configured as public rather than private.

Mitigation Strategies

To mitigate this vulnerability, upgrade Sharp to version 9.20.0 or later, where the issue has been fixed by removing client-controlled validation rules and enforcing strict server-side upload rules.

As a workaround, ensure that the storage disk used for Sharp uploads is configured as strictly private to prevent execution of uploaded files.

Avoid using a public disk configuration for uploads, as this could allow attackers to execute uploaded PHP files.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33687. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart