{"id":"CVE-2026-48557","summary":"Spatie Laravel Media Library \u003c 11.23.0 File Upload Restriction Bypass via FileAdder.php","details":"Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer(). The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo() preserving inner .php stems in saved filenames. The blocklist also omits executable extensions including .php6, .shtml, and .htaccess. The double-extension bypass requires a legacy Apache AddHandler configuration to achieve PHP execution; the incomplete blocklist bypass does not.","modified":"2026-05-31T04:02:42.542348877Z","published":"2026-05-29T19:49:15.604Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48557.json","cna_assigner":"VulnCheck","cwe_ids":["CWE-184"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48557.json"},{"type":"ADVISORY","url":"https://github.com/spatie/laravel-medialibrary/releases/tag/11.23.0"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-48557"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/spatie-laravel-media-library-file-upload-restriction-bypass-via-fileadder-php"},{"type":"REPORT","url":"https://github.com/spatie/laravel-medialibrary/pull/3939"},{"type":"FIX","url":"https://github.com/spatie/laravel-medialibrary/commit/608ea03703d3887c46434f5dda6af56de6346aba"},{"type":"PACKAGE","url":"https://github.com/spatie/laravel-medialibrary"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/spatie/laravel-medialibrary","events":[{"introduced":"0"},{"fixed":"98409dd203ad74a06b4ef5a7139ededc13bcf835"}]}],"versions":["11.22.1","11.22.0","11.21.2","11.21.1","11.21.0","11.20.0","11.19.0","11.18.2","11.18.1","11.18.0","11.17.10","11.17.9","11.17.8","11.17.7","11.17.6","11.17.5","11.17.4","11.17.3","11.17.2","11.17.1","11.17.0","11.14.0","11.13.0","11.12.9","11.12.8","11.12.7","11.12.6","11.12.5","11.12.4","11.12.3","11.12.2","11.12.1","11.12.0","11.11.1","11.11.0","11.10.1","11.10.0","11.9.2","11.9.1","11.9.0","11.8.3","11.8.2","11.8.1","11.8.0","11.7.6","11.7.5","11.7.4","11.7.2","11.7.1","11.7.0","11.6.1","11.6.0","11.5.4","11.5.3","11.5.2","11.5.1","11.5.0","11.4.8","11.4.7","11.4.6","11.4.5","11.4.4","11.4.3","11.4.2","11.4.1","11.4.0","11.3.1","11.3.0","11.2.0","11.1.2","11.1.1","11.1.0","11.0.5","11.0.4","11.0.3","11.0.2","11.0.1","11.0.0","10.15.0","10.14.0","10.13.2","10.13.1","10.13.0","10.11.3","10.11.2","10.11.1","10.11.0","10.10.2","10.10.1","10.10.0","10.9.4","10.9.3","10.9.2","10.9.1","10.9.0","10.8.0","10.7.16","10.7.15","10.7.13","10.7.12","10.7.11","10.7.10","10.7.9","10.7.8","10.7.7","10.7.6","10.7.5","10.7.4","10.7.3","10.7.2","10.7.1","10.7.0","10.6.1","10.6.0","10.5.2","10.5.1","10.5.0","10.4.5","10.4.4","10.4.3","10.4.2","10.4.1","10.4.0","10.3.6","10.3.5","9.12.2","9.12.1","10.1.5","10.1.4","10.1.3","10.1.2","10.1.1","10.1.0","10.0.7","10.0.6","10.0.5","10.0.4","10.0.3","10.0.2","10.0.1","10.0.0","9.11.1","9.11.0","9.10.3","9.10.2","9.10.1","9.9.0","9.8.4","9.8.3","9.8.2","9.8.1","9.8.0","9.7.5","9.7.4","9.7.3","9.7.2","9.7.1","9.7.0","9.6.4","9.6.3","9.6.2","9.6.1","9.6.0","9.5.0","9.4.4","9.4.3","9.4.2","9.4.1","9.4.0","9.3.0","9.2.0","9.1.5","9.1.4","9.1.2","9.1.0","9.0.1","9.0.0","8.10.1","8.10.0","8.9.3","8.9.2","8.9.1","8.9.0","8.8.0","8.7.5","8.7.4","8.7.3","8.7.2","8.7.1","8.7.0","8.6.0","8.5.2","8.5.1","8.5.0","7.19.3","8.4.1","8.4.0","8.3.3","8.3.2","8.3.1","8.3.0","8.2.9","8.2.6","8.2.5","8.2.4","8.2.3","8.2.2","8.2.1","8.1.0","8.0.8","8.0.7","8.0.6","8.0.0","7.19.1","7.19.0","7.18.3","7.18.2","7.18.1","7.17.0","7.16.2","7.16.1","7.16.0","7.14.2","7.14.1","7.14.0","7.13.0","7.12.4","7.12.3","7.12.2","7.12.1","7.12.0","7.11.0","7.10.1","7.10.0","7.9.0","7.8.2","7.8.1","7.8.0","7.7.0","7.6.9","7.6.8","7.6.7","7.6.6","7.6.5","7.6.4","7.6.3","7.6.2","7.6.1","7.6.0","7.5.6","7.5.5","7.5.4","7.5.3","7.5.2","6.9.1","7.5.1","7.5.0","7.4.3","7.4.2","7.4.1","7.4.0","7.3.12","7.3.11","7.3.10","7.3.9","7.3.8","7.3.7","7.3.6","7.3.5","7.1.3","7.1.2","7.1.1","7.1.0","7.0.6","7.0.5","7.0.4","7.0.3","7.0.2","7.0.1","7.0.0","6.9.0","6.8.0","6.7.0","6.6.9","6.6.8","6.6.7","6.6.6","6.6.5","6.6.4","6.6.3","6.6.2","6.6.1","6.6.0","6.5.0","6.4.2","6.4.1","6.4.0","6.3.0","6.2.1","6.2.0","6.1.3","6.1.2","6.1.1","6.1.0","6.0.0","5.14.0","5.13.2","5.13.1","5.13.0","5.12.1","5.11.1","5.11.0","5.10.0","5.9.0","5.8.2","5.8.1","5.8.0","5.7.0","5.6.0","5.5.3","5.5.2","5.5.1","5.5.0","5.4.0","5.3.3","5.3.2","5.3.1","5.3.0","5.2.0","5.1.0","5.0.2","5.0.1","5.0.0","4.13.0","4.12.1","4.11.3","4.11.2","4.11.1","4.10.2","4.10.1","4.10.0","4.9.5","4.9.4","4.9.3","4.9.2","4.9.1","4.8.3","4.8.2","4.8.1","4.8.0","4.7.1","4.7.0","4.6.0","4.5.0","4.4.1","4.4.0","4.3.0","4.2.1","4.2","4.1","4.0.1","4.0.0","3.17.3","3.17.2","3.17.1","3.17.0","3.16.1","3.16.0","3.15.0","3.14.1","3.14.0","3.13.4","3.13.3","3.12.2","3.12.1","3.12.0","3.11.3","3.11.2","3.11.1","3.11.0","3.10.2","3.10.1","3.10.0","3.9.2","3.9.1","3.9.0","3.8.0","3.7.3","3.7.1","3.7.0","3.6.0","3.5.1","3.5.0","3.4.0","3.3.1","3.3.0","3.2.5","3.2.4","3.2.3","3.2.2","3.2.1","3.2.0","3.1.5","3.1.4","3.1.3","3.1.2","3.1.1","3.1.0","3.0.1","3.0.0","2.3.0","2.2.3","2.2.2","2.2.1","2.2.0","2.1.5","2.1.4","2.1.3","2.1.2","2.1.1","2.1.0","2.0.1","2.0.0","1.6.2","1.6.0","1.5.6","1.5.5","1.5.4","1.5.3","1.5.2","1.5.1","1.5.0","1.1.4","1.1.3","1.1.2","1.1.1","1.0.0","0.1.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-48557.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}