๐Ÿ” CVE Alert

CVE-2026-49970

HIGH 8.8

Laravel-Mediable < 7.0.0 Path Traversal via File::sanitizePath()

CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th

Laravel-Mediable before 7.0.0 contains a path traversal vulnerability in the File::sanitizePath() function that allows attackers to write uploaded files to arbitrary locations by controlling the directory argument passed to MediaUploader::toDestination(). Attackers can exploit the permissive character-class regex that allows both dot and slash characters combined with an ineffective trailing trim() call to bypass sanitization and upload files to sensitive locations such as the document root, environment configuration files, or application configuration directories, enabling remote code execution.

CWE CWE-22
Vendor plank
Product laravel-mediable
Published Jul 13, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for plank laravel-mediable

Be the first to know when new high vulnerabilities affecting plank laravel-mediable are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

plank / laravel-mediable
0 < 7.0.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/plank/laravel-mediable/releases/tag/7.0.0 github.com: https://github.com/plank/laravel-mediable/commit/6d1e7fb39922fdfb3b2d120e13f4eb2e653ae082 vulncheck.com: https://www.vulncheck.com/advisories/laravel-mediable-path-traversal-via-file-sanitizepath

Credits

Xurshidbek Sobirjonov VulnCheck