CVE-2026-49971
Deferred Deferred - Pending Action

Stored XSS in Laravel-Mediable via SVG File Upload

Vulnerability report for CVE-2026-49971, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: VulnCheck

Description

Laravel-Mediable before 7.0.0 contains a stored cross-site scripting vulnerability that allows authenticated or anonymous users to execute arbitrary JavaScript by uploading unsanitized SVG files containing embedded scripts in onload event handlers, script tags, or foreignObject elements. Attackers can store persistent XSS payloads in uploaded SVG files that execute with full DOM access when victims open or preview the file, enabling session cookie theft, CSRF token capture, and account takeover.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-14
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
plank laravel-mediable to 7.0.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-49971 is a stored cross-site scripting (XSS) vulnerability in the Laravel-Mediable package before version 7.0.0. It allows authenticated or anonymous users to upload malicious SVG files containing embedded JavaScript code.

The vulnerability occurs because the package does not properly sanitize SVG files during upload. Attackers can exploit this by embedding scripts in SVG files using methods such as onload event handlers, script tags, or foreignObject elements. When victims open or preview these files, the embedded JavaScript executes with full DOM access.

  • Stored XSS: The malicious payload is permanently stored on the server and executed when accessed by victims.
  • Exploitation vectors: Scripts can be embedded in SVG files via onload handlers, script tags, or foreignObject elements.
  • Impact: The vulnerability enables attackers to steal session cookies, capture CSRF tokens, or perform account takeovers.
Impact Analysis

This vulnerability can have several direct and indirect impacts on users and organizations:

  • Session Hijacking: Attackers can steal session cookies, allowing them to impersonate victims and gain unauthorized access to their accounts.
  • CSRF Token Theft: Malicious scripts can capture CSRF tokens, enabling attackers to perform unauthorized actions on behalf of victims.
  • Account Takeover: With access to session cookies or CSRF tokens, attackers can fully compromise user accounts, including administrative accounts.
  • Data Theft: Attackers can exfiltrate sensitive data displayed or entered in the context of the victim's session.
  • Malware Distribution: The vulnerability can be used as a vector to deliver malware or ransomware to victims' devices.
  • Reputation Damage: Organizations using the vulnerable package may suffer reputational harm if the vulnerability is exploited to compromise user data or systems.
Compliance Impact

This vulnerability can have significant implications for compliance with various standards and regulations, particularly those focused on data protection and security:

  • GDPR (General Data Protection Regulation): Exploitation of this vulnerability could lead to unauthorized access to personal data, violating GDPR's requirements for data protection and privacy. Organizations may face fines of up to 4% of global revenue or €20 million, whichever is higher, if they fail to protect personal data adequately.
  • HIPAA (Health Insurance Portability and Accountability Act): For healthcare organizations, this vulnerability could result in unauthorized access to protected health information (PHI). Non-compliance with HIPAA can lead to fines ranging from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per year.
  • PCI DSS (Payment Card Industry Data Security Standard): If the vulnerable system processes payment card data, exploitation could lead to unauthorized access to cardholder data, violating PCI DSS requirements. Non-compliance can result in fines, increased transaction fees, or loss of ability to process payments.
  • ISO 27001: This standard requires organizations to implement controls to manage information security risks. Failure to address this vulnerability could result in non-compliance with ISO 27001, potentially leading to loss of certification and associated business opportunities.
  • SOC 2: For service organizations, this vulnerability could impact the security, availability, or confidentiality principles of SOC 2. Non-compliance may result in a qualified audit opinion, affecting customer trust and business relationships.

Organizations must address this vulnerability promptly to maintain compliance with these standards and regulations. Failure to do so could result in legal penalties, financial losses, and reputational damage.

Detection Guidance

To detect the presence of this vulnerability in your Laravel-Mediable installation, you can check for the following indicators:

  • Verify the version of Laravel-Mediable in use. The vulnerability affects versions before 7.0.0. You can check the version in your `composer.json` file or by running `composer show plank/laravel-mediable`.
  • Inspect uploaded SVG files in your storage directory (e.g., `storage/app/media`) for suspicious content. Look for SVG files containing JavaScript in `onload` event handlers, `<script>` tags, or `<foreignObject>` elements. Example command to search for suspicious patterns in SVG files:

```bash grep -r -E 'onload=|<script>|<foreignObject>' /path/to/storage/app/media/ ```

  • Check your application logs for any unexpected or suspicious file uploads, particularly SVG files with unusual content.
  • Review your web application's file upload functionality to ensure it does not allow unsanitized SVG files to be rendered directly in the browser.
Mitigation Strategies

To mitigate CVE-2026-49971, take the following immediate steps:

  • Upgrade Laravel-Mediable to version 7.0.0 or later, which includes the fix for this vulnerability. You can update the package using Composer:

```bash composer require plank/laravel-mediable:^7.0.0 ```

  • If upgrading is not immediately possible, apply a temporary workaround by disabling SVG file uploads or implementing a custom sanitization mechanism for SVG files. For example, you can use the `enshrined/svg-sanitize` package to sanitize SVG files before they are stored.
  • Audit your existing media storage for any uploaded SVG files that may contain malicious JavaScript. Remove or sanitize these files to prevent exploitation.
  • Monitor your application for any suspicious activity, such as unexpected file uploads or unusual JavaScript execution in the context of SVG files.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49971. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart