CVE-2026-48557 spatie CVE debrief

Who should care

Organizations using Spatie Laravel Media Library versions prior to 11.23.0 for file upload functionality, particularly those with Apache web servers or incomplete extension blocklists. Security teams should prioritize this for applications handling untrusted file uploads from authenticated users.

Technical summary

The vulnerability exists in FileAdder::defaultSanitizer() which uses pathinfo() to extract filename components and validates only the final extension suffix. This allows attackers to upload files with double extensions (e.g., shell.php.jpg) where the inner .php is preserved in the saved filename. The blocklist also fails to include extensions such as .php6, .shtml, and .htaccess. Successful exploitation depends on server configuration: the double-extension bypass requires legacy Apache AddHandler configurations to execute PHP code, while the incomplete blocklist bypass can achieve execution without such configuration. The CVSS 4.0 vector indicates network attack vector, low attack complexity, low privileges required, no user interaction, and high impact to confidentiality, integrity, and availability.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Spatie Laravel Media Library to version 11.23.0 or later.
• Review file upload handling implementations for reliance on suffix-only validation.
• Audit web server configurations for legacy Apache AddHandler directives that may enable PHP execution of double-extension files.
• Implement additional server-side validation beyond filename extension checks, including content-type verification and file content inspection.
• Consider deploying Web Application Firewall rules to detect and block suspicious double-extension upload patterns.

Evidence notes

CVE published 2026-05-29T20:16:28.957Z; modified 2026-05-29T20:21:38.773Z. Vulncheck advisory and GitHub commit/pull request/release references provided.

Official resources