CVE-2026-53634
MEDIUMSharp: Missing Authorization Check in Quick Creation Command Endpoints
Title source: cnaDescription
Sharp is a content management framework built for Laravel as a package. From version 9.0.0 to before version 9.22.3, the create and store endpoints of the Quick Creation Command feature did not enforce any authorization check. An authenticated Sharp user without create permission on a given entity could bypass the authorization layer and either retrieve the creation form or submit new records for that entity, as long as it had a Quick Creation Command handler configured. This issue has been patched in version 9.22.3.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/code16/sharp/security/advisories/GHSA-vmwx-m75v-qvch
X_Refsource_Misc x_refsource_misc
https://github.com/code16/sharp/pull/729
X_Refsource_Misc x_refsource_misc
https://github.com/code16/sharp/commit/aa18a85fd8fef830988a336cad2278986729d21a
X_Refsource_Misc x_refsource_misc
https://github.com/code16/sharp/releases/tag/v9.22.3
Scores
CVSS v3
4.3
EPSS
0.0021
EPSS Percentile
11.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (1)
code16/sharp
>= 9.0.0, < 9.22.3
Published
Jun 10, 2026
Tracked Since
Jun 11, 2026