plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing executable PHP code while declaring a benign image MIME type, resulting in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, this may lead to remote code execution. At the time of publication, no patch was available and the vendor had not responded to coordinated disclosure attempts.
PUBLISHED5.2CWE-434
Unsafe Client MIME Type Handling Can Enable Arbitrary File Upload in plank/laravel-mediable
Problem type
Affected products
plank
laravel-mediable
<= 6.4.0 - AFFECTED
References
Project repository
https://github.com/plank/laravel-mediable
Release 6.4.0
https://github.com/plank/laravel-mediable/releases/tag/6.4.0
Upstream project homepage
https://github.com/plank/laravel-mediable
GitHub Security Advisories
GHSA-2w6q-cfjg-6mjp
plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an...
https://github.com/advisories/GHSA-2w6q-cfjg-6mjpplank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing executable PHP code while declaring a benign image MIME type, resulting in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, this may lead to remote code execution. At the time of publication, no patch was available and the vendor had not responded to coordinated disclosure attempts.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-4809Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-4809",
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"dateUpdated": "2026-03-26T13:41:27.981Z",
"dateReserved": "2026-03-25T12:35:26.385Z",
"datePublished": "2026-03-26T11:03:27.086Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec",
"dateUpdated": "2026-03-26T11:03:27.086Z"
},
"title": "Unsafe Client MIME Type Handling Can Enable Arbitrary File Upload in plank/laravel-mediable",
"descriptions": [
{
"lang": "en",
"value": "plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing executable PHP code while declaring a benign image MIME type, resulting in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, this may lead to remote code execution. At the time of publication, no patch was available and the vendor had not responded to coordinated disclosure attempts.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing executable PHP code while declaring a benign image MIME type, resulting in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, this may lead to remote code execution. At the time of publication, no patch was available and the vendor had not responded to coordinated disclosure attempts."
}
]
}
],
"affected": [
{
"vendor": "plank",
"product": "laravel-mediable",
"defaultStatus": "unaffected",
"versions": [
{
"version": "<= 6.4.0",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"cweId": "CWE-434",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/plank/laravel-mediable",
"name": "Project repository"
},
{
"url": "https://github.com/plank/laravel-mediable/releases/tag/6.4.0",
"name": "Release 6.4.0"
},
{
"url": "https://github.com/plank/laravel-mediable",
"name": "Upstream project homepage"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A remote attacker can upload a file containing executable PHP code while supplying a benign image MIME type. If the consuming application accepts the client-controlled MIME type and stores uploaded files in a web-accessible executable location, this can result in arbitrary file upload and remote code execution."
}
]
}
],
"metrics": [
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
],
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL"
}
},
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
],
"cvssV2_0": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"authentication": "NONE",
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"availabilityImpact": "COMPLETE",
"baseScore": 10
}
}
],
"credits": [
{
"lang": "en",
"value": "Sobirjonov Xurshidbek",
"type": "finder"
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-03-26T13:41:27.981Z"
},
"title": "CISA ADP Vulnrichment",
"metrics": [
{}
]
}
]
}
}