CVE-2026-4809

CRITICAL 9.8

Unsafe Client MIME Type Handling Can Enable Arbitrary File Upload in plank/laravel-mediable

CVSS Score

9.8

EPSS Score

0.4%

EPSS Percentile

60th

plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing executable PHP code while declaring a benign image MIME type, resulting in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, this may lead to remote code execution. At the time of publication, no patch was available and the vendor had not responded to coordinated disclosure attempts.

CWE	CWE-434
Vendor	plank
Product	laravel-mediable
Published	Mar 26, 2026
Last Updated	Mar 26, 2026

Stay Ahead of the Next One

Get instant alerts for plank laravel-mediable

Be the first to know when new critical vulnerabilities affecting plank laravel-mediable are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

plank / laravel-mediable

<= 6.4.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/plank/laravel-mediable github.com: https://github.com/plank/laravel-mediable/releases/tag/6.4.0

Credits

Sobirjonov Xurshidbek