plank/laravel-mediable all versions up to and including 6.4.0
Summary
This vulnerability allows remote attackers to upload executable PHP code disguised as benign image files via client-side MIME type spoofing. If the uploaded file is stored in a web-accessible location, attackers can achieve full remote code execution on the underlying server. The vendor has not released a patch or responded to coordinated disclosure efforts as of publication.
Remediation
Replace the laravel-mediable package with an alternative maintained library if possible until a patch is released. If the package must remain in use, implement strict server-side file type validation that does not rely on user-supplied MIME types. Restrict write permissions to web-accessible upload directories to limit the impact of potential exploitation.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.