CVE-2026-4809
published 2026-03-26CVE-2026-4809: plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a…
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.28%
66.4th percentile
plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing executable PHP code while declaring a benign image MIME type, resulting in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, this may lead to remote code execution. At the time of publication, no patch was available and the vendor had not responded to coordinated disclosure attempts.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| plank | laravel-mediable | <= 6.4.0 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
plank laravel-mediable up to 6.4.0 unrestricted upload
vuldb·2026-05-20·CVSS 9.3
CVE-2026-4809 [CRITICAL] plank laravel-mediable up to 6.4.0 unrestricted upload
A vulnerability, which was classified as critical, was found in plank laravel-mediable up to 6.4.0. Affected is an unknown function. Executing a manipulation can lead to unrestricted upload.
This vulnerability is tracked as CVE-2026-4809. The attack can be launched remotely. No exploit exists.
You should upgrade the affected component.
GHSA
GHSA-2w6q-cfjg-6mjp: plank/laravel-mediable through version 6
ghsa_unreviewed·2026-03-26
CVE-2026-4809 [CRITICAL] CWE-434 GHSA-2w6q-cfjg-6mjp: plank/laravel-mediable through version 6
plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing executable PHP code while declaring a benign image MIME type, resulting in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, this may lead to remote code execution. At the time of publication, no patch was available and the vendor had not responded to coordinated disclosure attempts.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-03-26
Published