Code16 Sharp vulnerabilities
8 known vulnerabilities affecting code16/sharp.
Total CVEs
8
CISA KEV
1
actively exploited
Public exploits
1
Exploited in wild
1
Severity breakdown
HIGH4MEDIUM4
Vulnerabilities
Page 1 of 1
CVE-2023-4863P1HIGHCVSS 8.8KEVPoC≥ 0, < 0.32.62023-11-16
CVE-2023-4863 [HIGH] sharp vulnerability in libwebp dependency CVE-2023-4863
sharp vulnerability in libwebp dependency CVE-2023-4863
## Overview
sharp uses libwebp to decode WebP images and versions prior to the latest 0.32.6 are vulnerable to the high severity https://github.com/advisories/GHSA-j7hp-h8jx-5ppr.
## Who does this affect?
Almost anyone processing untrusted input with versions of sharp prior to 0.32.6.
## How to resolve this?
### Using prebuilt binaries provided by sharp?
Mos
ghsaosv
CVE-2026-33687P2HIGHCVSS 8.8fixed in 9.20.02026-03-26
CVE-2026-33687 [HIGH] CWE-434 CVE-2026-33687: Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 con
Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that allows authenticated users to bypass all file type restrictions. The upload endpoint within the `ApiFormUploadController` accepts a client-controlled `validation_rule` parameter. This parameter is di
ghsanvdosv
CVE-2026-33686P3HIGHCVSS 8.8fixed in 9.20.02026-03-26
CVE-2026-33686 [HIGH] CWE-22 CVE-2026-33686: Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 hav
Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability in the FileUtil class. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer. In `src/Utils/FileUtil.php`, the `FileUtil::explodeExtension()` function ext
ghsanvdosv
CVE-2026-44692P3HIGHCVSS 7.7fixed in 9.22.02026-06-10
CVE-2026-44692 [HIGH] CWE-639 CVE-2026-44692: Sharp is a content management framework built for Laravel as a package. Prior to version 9.22.0, Sha
Sharp is a content management framework built for Laravel as a package. Prior to version 9.22.0, Sharp exposes a generic download endpoint that authorizes access only to the supplied Sharp entity instance, but then reads the target storage disk and path from request parameters. Because the requested storage object is not bound to the authorized entity
ghsanvd
CVE-2022-29256P4MEDIUM≥ 0, < 0.30.52022-06-01
CVE-2022-29256 [MEDIUM] CWE-77 sharp vulnerable to Command Injection in post-installation over build environment
sharp vulnerable to Command Injection in post-installation over build environment
There's a possible vulnerability in logic that is run only at `npm install` time when installing versions of `sharp` prior to the latest v0.30.5.
This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their b
ghsaosv
CVE-2025-62798P4MEDIUMCVSS 5.4fixed in 9.11.12025-10-28
CVE-2025-62798 [MEDIUM] CWE-79 CVE-2025-62798: Sharp is a content management framework built for Laravel as a package. Prior to 9.11.1, a Cross-Sit
Sharp is a content management framework built for Laravel as a package. Prior to 9.11.1, a Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affected versions, expressions wrapped in {{ & }} were evaluated by Vue. This allowed attackers to inject arbitrary JavaScr
ghsanvdosv
CVE-2025-61457P4MEDIUM≥ 0, < 9.7.02025-10-21
CVE-2025-61457 [MEDIUM] CWE-79 code16 Sharp vulnerable to Cross Site Scripting (XSS)
code16 Sharp vulnerable to Cross Site Scripting (XSS)
code16 Sharp v9.6.6 is vulnerable to Cross Site Scripting (XSS) src/Form/Fields/SharpFormUploadField.php.
ghsaosv
CVE-2026-53634P4MEDIUMCVSS 4.3v>= 9.0.0, < 9.22.32026-06-10
CVE-2026-53634 [MEDIUM] CWE-862 CVE-2026-53634: Sharp is a content management framework built for Laravel as a package. From version 9.0.0 to before
Sharp is a content management framework built for Laravel as a package. From version 9.0.0 to before version 9.22.3, the create and store endpoints of the Quick Creation Command feature did not enforce any authorization check. An authenticated Sharp user without create permission on a given entity could bypass the authorization layer and either retr
nvd