CVE-2026-33686
published 2026-03-26CVE-2026-33686: Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability in the FileUtil class. The…
PriorityP356high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.55%
41.7th percentile
Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability in the FileUtil class. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer. In `src/Utils/FileUtil.php`, the `FileUtil::explodeExtension()` function extracts a file's extension by splitting the filename at the last dot. This issue has been patched in version 9.20.0 by properly sanitizing the extension using `pathinfo(PATHINFO_EXTENSION)` instead of `strrpos()`, alongside applying strict regex replacements to both the base name and the extension.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code16 | sharp | < 9.20.0 | 9.20.0 |
| code16 | sharp | >= 0 < 9.20.0 | 9.20.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil
osv·2026-03-25
CVE-2026-33686 [HIGH] Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil
Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil
### Summary
A path traversal vulnerability exists in the FileUtil class of the code16/sharp package. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer.
### Detail
In `src/Utils/FileUtil.php`, the `FileUtil::explodeExtension()` function extracts a file's extension by splitting the filename at the last dot. However, the extracted extension is never sanitized. While the application uses a `normalizeName()` function, this function only cleans the base filename, meaning any path separators (such as /) injected into the extension will survive and be passed into the `storeAs()` function.
### Impact
Exploiting this flaw allows an authenticated attack
GHSA
Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil
ghsa·2026-03-25
CVE-2026-33686 [HIGH] CWE-22 Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil
Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil
### Summary
A path traversal vulnerability exists in the FileUtil class of the code16/sharp package. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer.
### Detail
In `src/Utils/FileUtil.php`, the `FileUtil::explodeExtension()` function extracts a file's extension by splitting the filename at the last dot. However, the extracted extension is never sanitized. While the application uses a `normalizeName()` function, this function only cleans the base filename, meaning any path separators (such as /) injected into the extension will survive and be passed into the `storeAs()` function.
### Impact
Exploiting this flaw allows an authenticated attack
No detection rules found.
No public exploits indexed.
2026-03-26
Published