VulnerableCode Package Details - pkg:composer/code16/sharp@9.7.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-akfx-8k1u-2faj Aliases: CVE-2026-33687 GHSA-fr76-5637-w3g9	Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that allows authenticated users to bypass all file type restrictions. The upload endpoint within the `ApiFormUploadController` accepts a client-controlled `validation_rule` parameter. This parameter is directly passed into the Laravel validator without sufficient server-side enforcement. By intercepting the request and sending `validation_rule[]=file`, an attacker can completely bypass all MIME type and file extension restrictions. This issue has been addressed in version 9.20.0 by removing the client-controlled validation rules and strictly defining upload rules server-side. As a workaround, ensure that the storage disk used for Sharp uploads is strictly private. Under default configurations, an attacker cannot directly execute uploaded PHP files unless a public disk configuration is explicitly used.	9.20.0 Affected by 0 other vulnerabilities.
VCID-cdgj-6szg-m7aa Aliases: CVE-2025-62798 GHSA-9f58-4465-23c7	Sharp is a content management framework built for Laravel as a package. Prior to 9.11.1, a Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affected versions, expressions wrapped in {{ & }} were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed. The issue has been fixed in v9.11.1 .	9.11.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-huyc-6x1c-4bdv Aliases: CVE-2026-33686 GHSA-9ffq-6457-8958	Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability in the FileUtil class. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer. In `src/Utils/FileUtil.php`, the `FileUtil::explodeExtension()` function extracts a file's extension by splitting the filename at the last dot. This issue has been patched in version 9.20.0 by properly sanitizing the extension using `pathinfo(PATHINFO_EXTENSION)` instead of `strrpos()`, alongside applying strict regex replacements to both the base name and the extension.	9.20.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-akfx-8k1u-2faj
Aliases:
CVE-2026-33687
GHSA-fr76-5637-w3g9

Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that allows authenticated users to bypass all file type restrictions. The upload endpoint within the `ApiFormUploadController` accepts a client-controlled `validation_rule` parameter. This parameter is directly passed into the Laravel validator without sufficient server-side enforcement. By intercepting the request and sending `validation_rule[]=file`, an attacker can completely bypass all MIME type and file extension restrictions. This issue has been addressed in version 9.20.0 by removing the client-controlled validation rules and strictly defining upload rules server-side. As a workaround, ensure that the storage disk used for Sharp uploads is strictly private. Under default configurations, an attacker cannot directly execute uploaded PHP files unless a public disk configuration is explicitly used.

9.20.0
Affected by 0 other vulnerabilities.

VCID-cdgj-6szg-m7aa
Aliases:
CVE-2025-62798
GHSA-9f58-4465-23c7

Sharp is a content management framework built for Laravel as a package. Prior to 9.11.1, a Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affected versions, expressions wrapped in {{ & }} were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed. The issue has been fixed in v9.11.1 .

9.11.1
Affected by 2 other vulnerabilities.

VCID-huyc-6x1c-4bdv
Aliases:
CVE-2026-33686
GHSA-9ffq-6457-8958

Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability in the FileUtil class. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer. In `src/Utils/FileUtil.php`, the `FileUtil::explodeExtension()` function extracts a file's extension by splitting the filename at the last dot. This issue has been patched in version 9.20.0 by properly sanitizing the extension using `pathinfo(PATHINFO_EXTENSION)` instead of `strrpos()`, alongside applying strict regex replacements to both the base name and the extension.

9.20.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T21:36:38.298304+00:00	GitLab Importer	Affected by	VCID-huyc-6x1c-4bdv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/code16/sharp/CVE-2026-33686.yml	38.6.0
2026-06-12T21:36:32.283770+00:00	GitLab Importer	Affected by	VCID-akfx-8k1u-2faj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/code16/sharp/CVE-2026-33687.yml	38.6.0
2026-06-12T20:28:02.731768+00:00	GitLab Importer	Affected by	VCID-cdgj-6szg-m7aa	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/code16/sharp/CVE-2025-62798.yml	38.6.0