CVE Catalog

CVE-2026-4809

Critical
Published: Translated: NVD NIST

Summary

The plank/laravel-mediable package up to version 6.4.0 allows the upload of dangerous file types when an application accepts or prefers a client-supplied MIME type. This can lead to the upload of files containing executable PHP code, resulting in potential remote code execution.

Risk Assessment

The risk to the organization involves the potential for remote code execution, which could lead to system and data compromise. If uploaded files are stored in a web-accessible location, the risk is heightened.

Recommendation

It is recommended to avoid accepting client-supplied MIME types and to monitor and restrict file upload capabilities. Additionally, keep track of vendor patches.

Original NVD description (English source)

plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing executable PHP code while declaring a benign image MIME type, resulting in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, this may lead to remote code execution. At the time of publication, no patch was available and the vendor had not responded to coordinated disclosure attempts.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS