Search for packages
| purl | pkg:composer/code16/sharp@4.0.14 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-akfx-8k1u-2faj
Aliases: CVE-2026-33687 GHSA-fr76-5637-w3g9 |
Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that allows authenticated users to bypass all file type restrictions. The upload endpoint within the `ApiFormUploadController` accepts a client-controlled `validation_rule` parameter. This parameter is directly passed into the Laravel validator without sufficient server-side enforcement. By intercepting the request and sending `validation_rule[]=file`, an attacker can completely bypass all MIME type and file extension restrictions. This issue has been addressed in version 9.20.0 by removing the client-controlled validation rules and strictly defining upload rules server-side. As a workaround, ensure that the storage disk used for Sharp uploads is strictly private. Under default configurations, an attacker cannot directly execute uploaded PHP files unless a public disk configuration is explicitly used. |
Affected by 0 other vulnerabilities. |
|
VCID-cdgj-6szg-m7aa
Aliases: CVE-2025-62798 GHSA-9f58-4465-23c7 |
Sharp is a content management framework built for Laravel as a package. Prior to 9.11.1, a Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affected versions, expressions wrapped in {{ & }} were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed. The issue has been fixed in v9.11.1 . |
Affected by 2 other vulnerabilities. |
|
VCID-fad6-cdj9-ekb1
Aliases: CVE-2025-61457 GHSA-9778-v769-qvjf |
code16 Sharp v9.6.6 is vulnerable to Cross Site Scripting (XSS) src/Form/Fields/SharpFormUploadField.php. |
Affected by 3 other vulnerabilities. |
|
VCID-huyc-6x1c-4bdv
Aliases: CVE-2026-33686 GHSA-9ffq-6457-8958 |
Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability in the FileUtil class. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer. In `src/Utils/FileUtil.php`, the `FileUtil::explodeExtension()` function extracts a file's extension by splitting the filename at the last dot. This issue has been patched in version 9.20.0 by properly sanitizing the extension using `pathinfo(PATHINFO_EXTENSION)` instead of `strrpos()`, alongside applying strict regex replacements to both the base name and the extension. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-12T21:36:37.261239+00:00 | GitLab Importer | Affected by | VCID-huyc-6x1c-4bdv | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/code16/sharp/CVE-2026-33686.yml | 38.6.0 |
| 2026-06-12T21:36:31.256728+00:00 | GitLab Importer | Affected by | VCID-akfx-8k1u-2faj | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/code16/sharp/CVE-2026-33687.yml | 38.6.0 |
| 2026-06-12T20:28:01.598293+00:00 | GitLab Importer | Affected by | VCID-cdgj-6szg-m7aa | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/code16/sharp/CVE-2025-62798.yml | 38.6.0 |
| 2026-06-12T20:26:16.098012+00:00 | GitLab Importer | Affected by | VCID-fad6-cdj9-ekb1 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/code16/sharp/CVE-2025-61457.yml | 38.6.0 |