CVE-2026-48555
HIGHSpatie Laravel Media Library < 11.23.0 SSRF via addMediaFromUrl()
Title source: cnaDescription
Spatie Laravel Media Library before version 11.23.0 contains a server-side request forgery vulnerability that allows remote attackers to cause the server to issue arbitrary outbound HTTP requests by passing user-controlled URLs to the addMediaFromUrl() method in InteractsWithMedia.php.
References (4)
Core 4
Core References
Release Notes release-notes
https://github.com/spatie/laravel-medialibrary/releases/tag/11.23.0
Issue Tracking issue-tracking
https://github.com/spatie/laravel-medialibrary/pull/3939
Patch patch
https://github.com/spatie/laravel-medialibrary/commit/608ea03703d3887c46434f5dda6af56de6346aba
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/spatie-laravel-media-library-ssrf-via-addmediafromurl
Scores
CVSS v3
7.4
EPSS
0.0025
EPSS Percentile
15.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (1)
spatie/laravel-medialibrary
< 11.23.0
Published
May 29, 2026
Tracked Since
May 30, 2026