Plank Laravel-Mediable Arbitrary File Upload Vulnerability Allowing Remote Code Execution

Vulnerability

An arbitrary file upload vulnerability has been identified in Plank Laravel-Mediable versions through 6.4.0. The issue arises when an application using this package accepts or prioritizes client-supplied MIME types during file uploads. In such cases, a remote attacker could upload a file containing executable PHP code while masquerading it as a harmless image MIME type. If the uploaded file is stored in a web-accessible and executable directory, this could lead to remote code execution.

Impact

Exploitation of this vulnerability could result in arbitrary file uploads, with the potential for remote code execution if the uploaded files are placed in a web-accessible and executable location.

Added: Mar 26, 2026, 11:20 AM

Updated: Mar 26, 2026, 11:20 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.8

remediation

0.0

relevance

4.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.8

remediation

0.0

relevance

4.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Plank Laravel-Mediable Arbitrary File Upload Vulnerability Allowing Remote Code Execution

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating