PatchSiren cyber security CVE debrief
CVE-2026-44692 code16 CVE debrief
CVE-2026-44692 is a high-severity vulnerability in Sharp, a content management framework for Laravel. An authenticated user can exploit this issue to disclose unrelated objects from configured Laravel Storage disks. The vulnerability has been patched in version 9.22.0.
- Vendor
- code16
- Product
- sharp
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Users of Sharp content management framework for Laravel, particularly those with configured Laravel Storage disks.
Technical summary
Sharp, a content management framework built for Laravel as a package, had a generic download endpoint that authorized access only to the supplied Sharp entity instance. However, it read the target storage disk and path from request parameters. This allowed an authenticated Sharp user who can view one valid record to use that record as an authorization anchor to download unrelated disk-relative objects from configured Laravel Storage disks. The confirmed impact is authenticated disclosure of unrelated objects from configured Laravel Storage disks.
Defensive priority
High
Recommended defensive actions
- Update Sharp to version 9.22.0 or later.
- Review and restrict access to sensitive data stored in Laravel Storage disks.
Evidence notes
CVE-2026-44692 has a CVSS score of 7.7 and is considered HIGH severity. The vulnerability was published on 2026-06-10T22:16:57.660Z and modified on 2026-06-11T15:31:25.583Z.
Official resources
Sharp is a content management framework built for Laravel as a package. Prior to version 9.22.0, Sharp exposes a generic download endpoint that authorizes access only to the supplied Sharp entity instance, but then reads the target storage