PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-4809 plank CVE debrief

**CVE-2026-4809** is a critical unpatched vulnerability in `plank/laravel-mediable` through version 6.4.0 that enables arbitrary file upload with potential remote code execution. The flaw occurs when applications using this package accept or prefer client-supplied MIME types during file upload handling, allowing attackers to bypass file type validation by submitting PHP executable code with a declared benign image MIME type. If uploaded files are stored in web-accessible, executable directories, this can lead to full system compromise. The vulnerability was published on March 26, 2026, and remains unpatched as of the May 19, 2026 modification date, with the vendor unresponsive to coordinated disclosure. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and high impact across confidentiality, integrity, and availability.

Vendor
plank
Product
laravel-mediable
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-26
Original CVE updated
2026-05-19
Advisory published
2026-03-26
Advisory updated
2026-05-19

Who should care

Organizations running Laravel applications with file upload functionality using the plank/laravel-mediable package, particularly those in shared hosting environments or with misconfigured document roots that permit PHP execution in upload directories. Development teams should prioritize server-side validation controls and secure storage configurations as immediate mitigations.

Technical summary

The laravel-mediable package through 6.4.0 fails to properly validate file types when applications are configured to accept client-supplied MIME types. An attacker can upload a file containing executable PHP code while declaring a benign image MIME type (e.g., image/jpeg), bypassing validation that trusts the client declaration. Successful exploitation requires the uploaded file to be stored in a location that is both web-accessible and configured to execute PHP scripts. The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). No patch is available and vendor remains unresponsive.

Defensive priority

CRITICAL

Recommended defensive actions

  • Audit applications using plank/laravel-mediable to identify file upload implementations that rely on or prefer client-supplied MIME types
  • Implement server-side MIME type validation using file content inspection (magic bytes) rather than trusting client-provided Content-Type headers
  • Configure file storage locations outside web-accessible directories; if web access is required, disable script execution via web server configuration
  • Apply strict file extension allowlisting independent of MIME type validation
  • Implement additional upload restrictions including file size limits, antivirus scanning, and content security policies
  • Monitor for unauthorized file uploads and unexpected PHP file execution in application directories
  • Consider temporary removal or isolation of affected upload functionality until vendor patch is available
  • Subscribe to security advisories for plank/laravel-mediable to receive patch notifications

Evidence notes

Vulnerability confirmed through NVD with CVSS 4.0 scoring. Vendor unresponsive to coordinated disclosure per CVE description. No patch available at time of publication.

Official resources

UNPATCHED_NO_VENDOR_RESPONSE