CVE-2026-48557
Deferred Deferred - Pending Action
File Upload Bypass in Spatie Laravel Media Library

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: VulnCheck

Description
Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer(). The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo() preserving inner .php stems in saved filenames. The blocklist also omits executable extensions including .php6, .shtml, and .htaccess. The double-extension bypass requires a legacy Apache AddHandler configuration to achieve PHP execution; the incomplete blocklist bypass does not.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-30
EPSS Evaluated
2026-06-18
NVD
CVE-2026-48557
EUVD
EUVD-2026-33439
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
spatie laravel_media_library to 11.23.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-48557 is a file upload restriction bypass vulnerability in the Spatie Laravel Media Library before version 11.23.0. The issue arises because the sanitizer function FileAdder::defaultSanitizer() only checks the final file extension of uploaded files. This allows attackers to use double-extension filenames like shell.php.jpg to bypass the blocklist that is intended to prevent uploading executable files.

The sanitizer's blocklist is incomplete and does not include several executable extensions such as .php6, .shtml, and .htaccess. The vulnerability requires a legacy Apache AddHandler configuration to enable PHP execution of these bypassed files. The fix introduced stricter filename validation by checking every extension segment in the filename and expanding the blocklist to cover more dangerous extensions.

Impact Analysis

This vulnerability can allow an attacker to upload malicious files that bypass the file extension restrictions, potentially leading to remote code execution if the server is configured with legacy Apache AddHandler settings. This means an attacker could execute arbitrary PHP code on the server, compromising the application and underlying system.

Such an exploit could lead to unauthorized access, data theft, data manipulation, or complete system compromise, depending on the attacker's goals and the server environment.

Detection Guidance

This vulnerability involves bypassing file upload restrictions by using filenames with double extensions such as shell.php.jpg that evade the sanitizer's blocklist. Detection can focus on identifying files with suspicious double extensions or executable extensions that are not properly blocked.

  • Search for files with double extensions that include executable segments, for example, using commands like: find /path/to/media -type f -regex ".*\.php\..*"
  • Look for files with extensions omitted from the blocklist such as .php6, .shtml, .htaccess, using commands like: find /path/to/media -type f \( -name "*.php6" -o -name "*.shtml" -o -name ".htaccess" \)

Additionally, review your Apache configuration for legacy AddHandler directives that could enable execution of these files.

Mitigation Strategies

The primary mitigation is to upgrade the spatie/laravel-medialibrary package to version 11.23.0 or later, which includes hardened filename validation preventing bypass via double extensions and expands the blocklist of dangerous extensions.

  • Upgrade to spatie/laravel-medialibrary version 11.23.0 or newer.
  • Apply the updated configuration keys in config/media-library.php: use "disallowed_extensions" to customize or extend the blocklist and "allowed_extensions" for strict allowlisting.
  • Review and remove any legacy Apache AddHandler configurations that enable execution of files with extensions like .php, .php6, .shtml, or .htaccess.

Also consider auditing usage of addMediaFromUrl() for SSRF risks and ensure proper validation of user-supplied URLs.

Compliance Impact

The provided context and resources do not explicitly discuss the impact of CVE-2026-48557 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48557. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart