PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49972 plank CVE debrief

CVE-2026-49972 is a high-severity vulnerability in Laravel-Mediable that allows unauthenticated attackers to achieve remote code execution by uploading a file with an embedded PHP extension disguised within a double extension. This vulnerability exists in versions before 7.0.0 and can be exploited on misconfigured Apache or nginx servers that execute PHP code in uploaded files. The vulnerability has a CVSS score of 7.7 and is classified as HIGH severity.

Vendor
plank
Product
laravel-mediable
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Developers and administrators using Laravel-Mediable versions before 7.0.0 should be aware of this vulnerability and take immediate action to patch their systems. Additionally, security teams and vulnerability management teams should review the affected scope and severity to prioritize remediation efforts.

Technical summary

The vulnerability in Laravel-Mediable before version 7.0.0 allows attackers to upload files with double extensions, such as shell.php.jpg, which can be executed as PHP code on misconfigured servers. The PATHINFO_FILENAME extraction preserves the inner .php extension, bypassing MIME type, extension, and aggregate type validation checks due to the outer .jpg extension. This can lead to remote code execution on affected systems.

Defensive priority

High

Recommended defensive actions

  • Upgrade to Laravel-Mediable version 7.0.0 or later
  • Verify and correct server configurations to prevent execution of PHP code in uploaded files
  • Implement additional validation and sanitization for uploaded files
  • Monitor for suspicious file uploads and system activity
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-13T19:17:10.447Z and last modified on 2026-07-13T19:28:49.830Z. The NVD entry is currently Deferred. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify affected systems and review official advisories for specific guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T19:17:10.447Z and has not been modified since then. The NVD entry is currently Deferred.