CVE-2026-48555
Deferred Deferred - Pending Action
Spatie Laravel Media Library SSRF Vulnerability

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: VulnCheck

Description
Spatie Laravel Media Library before version 11.23.0 contains a server-side request forgery vulnerability that allows remote attackers to cause the server to issue arbitrary outbound HTTP requests by passing user-controlled URLs to the addMediaFromUrl() method in InteractsWithMedia.php.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-48555
EUVD
EUVD-2026-33418
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
spatie laravel_media_library to 11.23.0 (exc)
spatie laravel_medialibrary to 11.23.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-48555 is a Server-Side Request Forgery (SSRF) vulnerability found in Spatie Laravel Media Library versions before 11.23.0.

This vulnerability exists in the addMediaFromUrl() method within the InteractsWithMedia.php file. It allows remote attackers to cause the server to make arbitrary outbound HTTP requests by passing user-controlled URLs to this method.

Detection Guidance

The vulnerability in Spatie Laravel Media Library before version 11.23.0 involves the addMediaFromUrl() method allowing SSRF attacks by passing user-controlled URLs. Detection involves monitoring for unusual outbound HTTP requests initiated by the server, especially those triggered by this method.

Since the vulnerability is triggered by user-supplied URLs causing outbound HTTP requests, you can detect exploitation attempts by inspecting logs for unexpected or suspicious outbound HTTP connections from your Laravel application server.

Suggested commands to help detect potential exploitation attempts include:

  • Use network monitoring tools like tcpdump or Wireshark to capture outbound HTTP requests from the server: tcpdump -i eth0 tcp and port 80 or 443
  • Check web server or application logs for requests invoking addMediaFromUrl() or related endpoints that accept URLs.
  • Use grep to search application logs for suspicious URL parameters: grep -i 'addMediaFromUrl' /path/to/laravel/logs/laravel.log
  • Monitor outbound HTTP requests with tools like curl or wget logs if used internally, or enable verbose logging in your HTTP client libraries.

Note that no specific detection commands or signatures are provided in the available resources, so detection relies on monitoring outbound requests and application logs for suspicious activity related to addMediaFromUrl().

Impact Analysis

This vulnerability can allow an attacker to manipulate the server into making arbitrary outbound HTTP requests. This could potentially be used to access internal systems, bypass firewalls, or perform other malicious activities by leveraging the server as a proxy.

Mitigation Strategies

To mitigate the Server-Side Request Forgery vulnerability in Spatie Laravel Media Library, you should upgrade the library to version 11.23.0 or later, where the issue in the addMediaFromUrl() method has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48555. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart