Cyber Posture

CVE-2026-4809

Critical

Published: 26 March 2026

Published
26 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0056 68.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing…

more

executable PHP code while declaring a benign image MIME type, resulting in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, this may lead to remote code execution. At the time of publication, no patch was available and the vendor had not responded to coordinated disclosure attempts.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mandates validating the content of uploaded files beyond client-supplied MIME types to reject executable PHP code disguised as benign images.

SI-3 Malicious Code Protection good match
preventdetect

Deploys malicious code protection at file upload entry points to scan and eradicate dangerous files like PHP shells before storage.

SI-9 Information Input Restrictions good match
prevent

Restricts file uploads to organization-defined safe types and extensions, blocking dangerous PHP files irrespective of spoofed MIME types.

Security SummaryAI

CVE-2026-4809 is a vulnerability in the plank/laravel-mediable package through version 6.4.0, a Laravel media handling library. It enables the upload of dangerous file types when an application using the package accepts or prefers a client-supplied MIME type during file upload processing. This flaw, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

A remote attacker with network access can exploit this vulnerability without authentication or user interaction by submitting a file containing executable PHP code while declaring a benign image MIME type. This results in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, it may lead to remote code execution on the server.

Published on 2026-03-26, the advisory notes that no patch was available at the time, and the vendor had not responded to coordinated disclosure attempts. Relevant references include the project repository at https://github.com/plank/laravel-mediable and the 6.4.0 release page at https://github.com/plank/laravel-mediable/releases/tag/6.4.0, which security practitioners should monitor for updates or patches.

Details

CWE(s)
CWE-434

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability allows unauthenticated remote attackers to exploit a public-facing Laravel web application via unrestricted file upload with dangerous types (e.g., PHP webshell), directly enabling T1190: Exploit Public-Facing Application for initial access and potential RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References