CVE-2026-49970
Plank · laravel-mediable
Laravel-Mediable before 7.0.0 is vulnerable to path traversal due to improper sanitization of file paths, potentially allowing unauthorized file access.
Executive summary
A path traversal vulnerability in the Laravel-Mediable library allows authenticated attackers to access files outside of the intended directory, posing a high risk to data confidentiality and integrity.
Vulnerability
This vulnerability is a Path Traversal flaw (CWE-22) triggered during file path sanitization. An attacker with low-level privileges can manipulate input to traverse the filesystem and access restricted directories.
Business impact
Successful exploitation allows an attacker to read or potentially manipulate sensitive files on the host server. Given the CVSS score of 8.8, this vulnerability poses a significant risk to the confidentiality and integrity of the application environment, potentially leading to full system compromise if sensitive configuration files are exposed.
Remediation
Immediate Action: Update the laravel-mediable dependency to version 7.0.0 or later immediately.
Proactive Monitoring: Monitor application logs for suspicious path traversal patterns, such as sequences like ../ within file upload or management requests.
Compensating Controls: Implement strict input validation and ensure the application runs with the least privilege necessary to limit the impact of filesystem access.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
This vulnerability is critical due to the potential for unauthorized filesystem access. Organizations using the laravel-mediable package must prioritize updating to version 7.0.0 to remediate the flaw. Failure to patch may expose the host environment to significant data breach risks.