CVE-2026-48557
File Upload Bypass in Spatie Laravel Media Library
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| spatie | laravel_media_library | to 11.23.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-184 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-48557 is a file upload restriction bypass vulnerability in the Spatie Laravel Media Library before version 11.23.0. The issue arises because the sanitizer function FileAdder::defaultSanitizer() only checks the final file extension of uploaded files. This allows attackers to use double-extension filenames like shell.php.jpg to bypass the blocklist that is intended to prevent uploading executable files.
The sanitizer's blocklist is incomplete and does not include several executable extensions such as .php6, .shtml, and .htaccess. The vulnerability requires a legacy Apache AddHandler configuration to enable PHP execution of these bypassed files. The fix introduced stricter filename validation by checking every extension segment in the filename and expanding the blocklist to cover more dangerous extensions.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to upload malicious files that bypass the file extension restrictions, potentially leading to remote code execution if the server is configured with legacy Apache AddHandler settings. This means an attacker could execute arbitrary PHP code on the server, compromising the application and underlying system.
Such an exploit could lead to unauthorized access, data theft, data manipulation, or complete system compromise, depending on the attacker's goals and the server environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves bypassing file upload restrictions by using filenames with double extensions such as shell.php.jpg that evade the sanitizer's blocklist. Detection can focus on identifying files with suspicious double extensions or executable extensions that are not properly blocked.
- Search for files with double extensions that include executable segments, for example, using commands like: find /path/to/media -type f -regex ".*\.php\..*"
- Look for files with extensions omitted from the blocklist such as .php6, .shtml, .htaccess, using commands like: find /path/to/media -type f \( -name "*.php6" -o -name "*.shtml" -o -name ".htaccess" \)
Additionally, review your Apache configuration for legacy AddHandler directives that could enable execution of these files.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the spatie/laravel-medialibrary package to version 11.23.0 or later, which includes hardened filename validation preventing bypass via double extensions and expands the blocklist of dangerous extensions.
- Upgrade to spatie/laravel-medialibrary version 11.23.0 or newer.
- Apply the updated configuration keys in config/media-library.php: use "disallowed_extensions" to customize or extend the blocklist and "allowed_extensions" for strict allowlisting.
- Review and remove any legacy Apache AddHandler configurations that enable execution of files with extensions like .php, .php6, .shtml, or .htaccess.
Also consider auditing usage of addMediaFromUrl() for SSRF risks and ensure proper validation of user-supplied URLs.