HIGH 8.8

CVE-2026-48557: Laravel Media Library File Upload Bypass and Remote Code Execution

Spatie's Laravel Media Library, a widely-used file management plugin for Laravel applications, has a vulnerability in its file upload filtering that allows authenticated attackers to upload files with names like shell.php.jpg that appear safe but retain executable code. Versions before 11.23.0 fail to properly block dangerous file extensions, and under specific Apache server configurations, these uploads can be executed as PHP scripts, potentially giving attackers full control of the application.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-184
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer(). The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo() preserving inner .php stems in saved filenames. The blocklist also omits executable extensions including .php6, .shtml, and .htaccess. The double-extension bypass requires a legacy Apache AddHandler configuration to achieve PHP execution; the incomplete blocklist bypass does not.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the FileAdder::defaultSanitizer() method, which validates uploaded filenames by checking only the final extension using pathinfo(). This approach fails to detect double-extension patterns (e.g., shell.php.jpg), where the dangerous .php extension is preserved in the saved filename. Additionally, the blocklist is incomplete, omitting executable extensions such as .php6, .shtml, and .htaccess. The double-extension bypass requires a legacy Apache AddHandler directive to trigger PHP execution on files with .php in their name regardless of final extension; the incomplete blocklist allows upload of files with omitted extensions but does not directly lead to execution without additional server misconfigurations.

Business impact

An authenticated attacker can upload files to applications using vulnerable versions of Laravel Media Library and potentially achieve remote code execution, depending on server configuration. This threatens confidentiality, integrity, and availability of affected applications and their data. Organizations relying on Media Library for user-generated content handling face risk of data theft, defacement, malware distribution, or service disruption. The requirement for authentication limits exposure to insider threats and account compromise scenarios.

Affected systems

Spatie Laravel Media Library versions before 11.23.0 are vulnerable. Organizations running Laravel applications that depend on this library for file uploads should audit their deployments. The practical impact depends on server configuration; Apache instances with legacy AddHandler rules for PHP processing are at higher risk, though the incomplete blocklist affects all affected versions.

Exploitability

The vulnerability requires an authenticated user account, reducing opportunistic exploitation risk but elevating insider threat concerns. An attacker must craft a malicious file with a double extension or use a blocked-extension file type. The double-extension bypass requires specific Apache legacy configurations; without AddHandler rules, double-extension uploads may not execute as code but still represent a control bypass. The incomplete blocklist poses a persistent risk across all server configurations.

Remediation

Upgrade Spatie Laravel Media Library to version 11.23.0 or later. Verify the upgrade completes successfully and file upload filtering is re-enabled. As a supplementary control, review and harden Apache configurations: remove or audit any AddHandler directives that map file extensions to PHP handlers, and consider disallowing PHP execution in upload directories via .htaccess or web server rules. Implement whitelist-based file type validation in addition to blocklist approaches.

Patch guidance

Update Spatie Laravel Media Library to version 11.23.0 or higher. Consult the official Spatie GitHub repository and Laravel ecosystem channels for patch availability and changelog details. Apply patches during scheduled maintenance windows to minimize disruption. Test file upload functionality in a staging environment before production deployment to confirm the fix does not break legitimate workflows.

Detection guidance

Monitor application logs for uploads of files with double extensions (e.g., *.php.jpg, *.php.png) or attempts to upload files with extensions like .php6, .shtml, or .htaccess. Review filesystem permissions on upload directories and log any unauthorized file execution attempts. Implement file integrity monitoring on directories where Media Library stores uploads. Check Apache configuration for legacy AddHandler directives that may enable execution of multi-extension files.

Why prioritize this

This vulnerability scores 8.8 (HIGH) due to its high impact on confidentiality, integrity, and availability, combined with low attack complexity and the need only for low-privilege authenticated access. While it requires an authenticated user, organizations should prioritize patching to close a control bypass that could be exploited by compromised accounts or malicious insiders. The incomplete blocklist represents a persistent risk that affects all configurations, elevating priority even where Apache legacy rules are not present.

Risk score, explained

CVSS 3.1 score of 8.8 reflects: Network-accessible attack vector (AV:N), low attack complexity (AC:L), requirement for authenticated user with low privilege (PR:L), no user interaction needed (UI:N), and impacts confined to the vulnerable application scope (S:U). The three HIGH impacts (C:H, I:H, A:H) reflect that successful exploitation enables arbitrary file upload and potential code execution, compromising all three security pillars.

Frequently asked questions

Do I need to worry about this if I'm not running Apache with AddHandler rules?

Yes. While the double-extension bypass requires legacy Apache configuration, the incomplete blocklist allows upload of .php6, .shtml, and .htaccess files on any server. These files may not execute as PHP under standard configurations, but they represent a control bypass and could be leveraged in multi-stage attacks or if server rules change. Update to 11.23.0 regardless of your Apache setup.

We only allow trusted employees to upload files. Does that eliminate our risk?

It significantly reduces risk because exploitation requires authentication. However, threat models should account for compromised credentials, insider threats, and account takeover. Additionally, if uploads are stored in web-accessible directories, an attacker with file upload access gains a direct foothold. Patching remains essential as a foundational control.

What does 'double-extension bypass' mean in practical terms?

An attacker uploads a file named shell.php.jpg. The vulnerable sanitizer checks only the .jpg extension and allows it. When saved, the filename retains both extensions. If Apache is configured with AddHandler php .php, the web server treats any file containing .php in its name as executable, regardless of the final extension. The attacker's file runs as PHP code.

Is this vulnerability currently being exploited in the wild?

This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, meaning no publicly documented active exploitation has been reported as of the advisory date. However, the relative simplicity of the bypass and its authentication requirement make it a plausible target for insider threats or follow-on attacks after credential compromise.

This analysis is provided for informational purposes. Security posture depends on your specific deployment, configuration, and threat model. Verify all patch version numbers and availability against official vendor advisories before applying updates. Testing in non-production environments is strongly recommended. This vulnerability analysis does not constitute legal or compliance advice; consult your security and legal teams regarding remediation timelines and regulatory obligations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).