CVE-2026-33686

HIGH 8.8

Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil

CVSS Score

8.8

EPSS Score

0.1%

EPSS Percentile

20th

Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability in the FileUtil class. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer. In `src/Utils/FileUtil.php`, the `FileUtil::explodeExtension()` function extracts a file's extension by splitting the filename at the last dot. This issue has been patched in version 9.20.0 by properly sanitizing the extension using `pathinfo(PATHINFO_EXTENSION)` instead of `strrpos()`, alongside applying strict regex replacements to both the base name and the extension.

CWE	CWE-22
Vendor	code16
Product	sharp
Published	Mar 26, 2026
Last Updated	Mar 27, 2026

Stay Ahead of the Next One

Get instant alerts for code16 sharp

Be the first to know when new high vulnerabilities affecting code16 sharp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

code16 / sharp

< 9.20.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/code16/sharp/security/advisories/GHSA-9ffq-6457-8958 github.com: https://github.com/code16/sharp/pull/715