CVE-2026-48557
HIGHSpatie Laravel Media Library < 11.23.0 File Upload Restriction Bypass via FileAdder.php
Title source: cnaDescription
Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer(). The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo() preserving inner .php stems in saved filenames. The blocklist also omits executable extensions including .php6, .shtml, and .htaccess. The double-extension bypass requires a legacy Apache AddHandler configuration to achieve PHP execution; the incomplete blocklist bypass does not.
References (4)
Core 4
Core References
Release Notes release-notes
https://github.com/spatie/laravel-medialibrary/releases/tag/11.23.0
Issue Tracking issue-tracking
https://github.com/spatie/laravel-medialibrary/pull/3939
Patch patch
https://github.com/spatie/laravel-medialibrary/commit/608ea03703d3887c46434f5dda6af56de6346aba
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/spatie-laravel-media-library-file-upload-restriction-bypass-via-fileadder-php
Scores
CVSS v3
8.8
EPSS
0.0044
EPSS Percentile
34.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-184
Status
published
Products (1)
spatie/laravel-medialibrary
< 11.23.0
Published
May 29, 2026
Tracked Since
May 30, 2026