CVE-2026-4809 CRITICAL

CVE-2026-4809: Unsafe Client MIME Type Handling Can Enable Arbitrary File Upload in plank/laravel-mediable

Vendor Plank

Product laravel-mediable

Weakness CWE-434 · Unrestricted file upload

Published March 26, 2026

Last update March 26, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

Description

plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing executable PHP code while declaring a benign image MIME type, resulting in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, this may lead to remote code execution. At the time of publication, no patch was available and the vendor had not responded to coordinated disclosure attempts.

Key dates

Disclosure timeline

March 26, 2026 CVE published

March 26, 2026 Record updated