CVE-2026-33687
published 2026-03-26CVE-2026-33687: Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.51%
39.4th percentile
Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that allows authenticated users to bypass all file type restrictions. The upload endpoint within the `ApiFormUploadController` accepts a client-controlled `validation_rule` parameter. This parameter is directly passed into the Laravel validator without sufficient server-side enforcement. By intercepting the request and sending `validation_rule[]=file`, an attacker can completely bypass all MIME type and file extension restrictions. This issue has been addressed in version 9.20.0 by removing the client-controlled validation rules and strictly defining upload rules server-side. As a workaround, ensure that the storage disk used for Sharp uploads is strictly private. Under default configurations, an attacker cannot directly execute uploaded PHP files unless a public disk configuration is explicitly used.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code16 | sharp | < 9.20.0 | 9.20.0 |
| code16 | sharp | >= 0 < 9.20.0 | 9.20.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to the Sharp ApiFormUploadController upload endpoint for a client-supplied `validation_rule` parameter, especially `validation_rule[]=file`, which indicates an attempt to bypass server-side file type validation. ↗
- →Alert on file uploads to Sharp (code16/sharp) installations running versions prior to 9.20.0 where the uploaded file type does not match expected MIME/extension restrictions, as the validation bypass allows any file type to be uploaded. ↗
- →Assess risk of direct PHP file execution if the Sharp storage disk is configured as public; uploaded PHP files could be directly executed under such configurations. ↗
- ·The vulnerability is only exploitable by authenticated users; unauthenticated exploitation is not possible. ↗
- ·Uploaded PHP files are not directly executable under default (private disk) configurations; the risk of RCE is elevated only when a public disk is explicitly configured for Sharp uploads. ↗
- ·As a workaround prior to patching, ensuring the Sharp storage disk is strictly private mitigates the most severe impact (direct PHP execution), but does not prevent the file type bypass itself. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Sharp has Unrestricted File Upload via Client-Controlled Validation Rules
ghsa·2026-03-25
CVE-2026-33687 [HIGH] CWE-434 Sharp has Unrestricted File Upload via Client-Controlled Validation Rules
Sharp has Unrestricted File Upload via Client-Controlled Validation Rules
### Summary
The `code16/sharp` Laravel admin panel package contains a vulnerability in its file upload endpoint that allows authenticated users to bypass all file type restrictions.
### Details
The upload endpoint within the `ApiFormUploadController` accepts a client-controlled `validation_rule` parameter. This parameter is directly passed into the Laravel validator without sufficient server-side enforcement. By intercepting the request and sending `validation_rule[]=file`, an attacker can completely bypass all MIME type and file extension restrictions. The vulnerable code is located in `src/Http/Controllers/Api/ApiFormUploadController.php` at line 24.
### Impact
This vulnerability leads to several critical securi
OSV
Sharp has Unrestricted File Upload via Client-Controlled Validation Rules
osv·2026-03-25
CVE-2026-33687 [HIGH] Sharp has Unrestricted File Upload via Client-Controlled Validation Rules
Sharp has Unrestricted File Upload via Client-Controlled Validation Rules
### Summary
The `code16/sharp` Laravel admin panel package contains a vulnerability in its file upload endpoint that allows authenticated users to bypass all file type restrictions.
### Details
The upload endpoint within the `ApiFormUploadController` accepts a client-controlled `validation_rule` parameter. This parameter is directly passed into the Laravel validator without sufficient server-side enforcement. By intercepting the request and sending `validation_rule[]=file`, an attacker can completely bypass all MIME type and file extension restrictions. The vulnerable code is located in `src/Http/Controllers/Api/ApiFormUploadController.php` at line 24.
### Impact
This vulnerability leads to several critical securi
No detection rules found.
No public exploits indexed.
2026-03-26
Published