CVE-2026-49972

Plank · laravel-mediable

Laravel-Mediable before 7.0.0 is susceptible to unrestricted file uploads, which can be leveraged by an attacker to achieve remote code execution via file extension bypass.

Executive summary

A critical file upload vulnerability in the Laravel-Mediable library allows authenticated attackers to upload malicious files, leading to potential remote code execution.

Vulnerability

The vulnerability is an Unrestricted Upload of File with Dangerous Type (CWE-434). Attackers with low-level privileges can bypass extension checks to upload executable scripts, resulting in remote code execution (RCE).

Business impact

A successful exploit allows an attacker to execute arbitrary code on the server, resulting in total system compromise. With a CVSS score of 8.8, this vulnerability represents a severe threat to business operations, as it can be used to install persistent backdoors, steal sensitive data, or disrupt service availability.

Remediation

Immediate Action: Update laravel-mediable to version 7.0.0 or higher to implement mandatory file type validation.

Proactive Monitoring: Review web server access logs for requests to non-media file extensions within upload directories and monitor for unexpected process execution originating from those paths.

Compensating Controls: Configure the web server to disable script execution in upload directories and implement a strict allow-list for file types at the application gateway or WAF.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

The risk of remote code execution makes this vulnerability a top priority for remediation. Administrators should ensure that all instances of laravel-mediable are updated to version 7.0.0 immediately to prevent potential system-wide compromise.