cbcvebase.
CVE-2026-33687
published 2026-03-26

CVE-2026-33687: Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that…

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.51%
39.4th percentile
Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that allows authenticated users to bypass all file type restrictions. The upload endpoint within the `ApiFormUploadController` accepts a client-controlled `validation_rule` parameter. This parameter is directly passed into the Laravel validator without sufficient server-side enforcement. By intercepting the request and sending `validation_rule[]=file`, an attacker can completely bypass all MIME type and file extension restrictions. This issue has been addressed in version 9.20.0 by removing the client-controlled validation rules and strictly defining upload rules server-side. As a workaround, ensure that the storage disk used for Sharp uploads is strictly private. Under default configurations, an attacker cannot directly execute uploaded PHP files unless a public disk configuration is explicitly used.

Affected

2 ranges
VendorProductVersion rangeFixed in
code16sharp< 9.20.09.20.0
code16sharp>= 0 < 9.20.09.20.0

Detection & IOCsextracted from sources · hover to see the quote

othervalidation_rule[]=file
  • Monitor HTTP requests to the Sharp ApiFormUploadController upload endpoint for a client-supplied `validation_rule` parameter, especially `validation_rule[]=file`, which indicates an attempt to bypass server-side file type validation.
  • Alert on file uploads to Sharp (code16/sharp) installations running versions prior to 9.20.0 where the uploaded file type does not match expected MIME/extension restrictions, as the validation bypass allows any file type to be uploaded.
  • Assess risk of direct PHP file execution if the Sharp storage disk is configured as public; uploaded PHP files could be directly executed under such configurations.
  • ·The vulnerability is only exploitable by authenticated users; unauthenticated exploitation is not possible.
  • ·Uploaded PHP files are not directly executable under default (private disk) configurations; the risk of RCE is elevated only when a public disk is explicitly configured for Sharp uploads.
  • ·As a workaround prior to patching, ensuring the Sharp storage disk is strictly private mitigates the most severe impact (direct PHP execution), but does not prevent the file type bypass itself.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.