CVE-2026-49969
Laravel-Mediable < 7.0.0 SSRF via RemoteUrlAdapter URL Handling
CVSS Score
7.4
EPSS Score
0.0%
EPSS Percentile
0th
Laravel-Mediable before 7.0.0 contains a server-side request forgery vulnerability that allows remote attackers to issue arbitrary HTTP requests from the server by supplying unvalidated caller-controlled URLs to endpoints backed by MediaUploader::fromSource(). Attackers can craft URLs targeting RFC-1918 addresses, loopback interfaces, cloud metadata endpoints, or file:// URIs through RemoteUrlAdapter to reach internal infrastructure, retrieve sensitive files, and exfiltrate cloud credentials such as IAM tokens from instance metadata services.
| CWE | CWE-918 |
| Vendor | plank |
| Product | laravel-mediable |
| Published | Jul 13, 2026 |
| Last Updated | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for plank laravel-mediable
Be the first to know when new high vulnerabilities affecting plank laravel-mediable are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low
Affected Versions
plank / laravel-mediable
0 < 7.0.0
References
Credits
Xurshidbek Sobirjonov VulnCheck