VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-akfx-8k1u-2faj

Essentials
Severities (20)
References (8)
Severity details (18)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-akfx-8k1u-2faj
Aliases	CVE-2026-33687 GHSA-fr76-5637-w3g9
Summary	Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that allows authenticated users to bypass all file type restrictions. The upload endpoint within the `ApiFormUploadController` accepts a client-controlled `validation_rule` parameter. This parameter is directly passed into the Laravel validator without sufficient server-side enforcement. By intercepting the request and sending `validation_rule[]=file`, an attacker can completely bypass all MIME type and file extension restrictions. This issue has been addressed in version 9.20.0 by removing the client-controlled validation rules and strictly defining upload rules server-side. As a workaround, ensure that the storage disk used for Sharp uploads is strictly private. Under default configurations, an attacker cannot directly execute uploaded PHP files unless a public disk configuration is explicitly used.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-434	Unrestricted Upload of File with Dangerous Type
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00023	https://api.first.org/data/v1/epss?cve=CVE-2026-33687
epss	0.00023	https://api.first.org/data/v1/epss?cve=CVE-2026-33687
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-fr76-5637-w3g9
cvssv3.1	8.8	https://github.com/code16/sharp
generic_textual	HIGH	https://github.com/code16/sharp
cvssv3.1	8.8	https://github.com/code16/sharp/pull/714
generic_textual	HIGH	https://github.com/code16/sharp/pull/714
ssvc	Track	https://github.com/code16/sharp/pull/714
cvssv3.1	8.8	https://github.com/code16/sharp/releases/tag/v9.20.0
generic_textual	HIGH	https://github.com/code16/sharp/releases/tag/v9.20.0
ssvc	Track	https://github.com/code16/sharp/releases/tag/v9.20.0
cvssv3.1	8.8	https://github.com/code16/sharp/security/advisories/GHSA-fr76-5637-w3g9
cvssv3.1_qr	HIGH	https://github.com/code16/sharp/security/advisories/GHSA-fr76-5637-w3g9
generic_textual	HIGH	https://github.com/code16/sharp/security/advisories/GHSA-fr76-5637-w3g9
ssvc	Track	https://github.com/code16/sharp/security/advisories/GHSA-fr76-5637-w3g9
cvssv3.1	8.8	https://laravel.com/docs/13.x/filesystem
generic_textual	HIGH	https://laravel.com/docs/13.x/filesystem
ssvc	Track	https://laravel.com/docs/13.x/filesystem
cvssv3.1	8.8	https://nvd.nist.gov/vuln/detail/CVE-2026-33687
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2026-33687

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2026-33687
		https://github.com/code16/sharp
		https://nvd.nist.gov/vuln/detail/CVE-2026-33687
714		https://github.com/code16/sharp/pull/714
filesystem		https://laravel.com/docs/13.x/filesystem
GHSA-fr76-5637-w3g9		https://github.com/advisories/GHSA-fr76-5637-w3g9
GHSA-fr76-5637-w3g9		https://github.com/code16/sharp/security/advisories/GHSA-fr76-5637-w3g9
v9.20.0		https://github.com/code16/sharp/releases/tag/v9.20.0

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/code16/sharp

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/code16/sharp/pull/714

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-27T20:28:24Z/ Found at https://github.com/code16/sharp/pull/714

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/code16/sharp/releases/tag/v9.20.0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-27T20:28:24Z/ Found at https://github.com/code16/sharp/releases/tag/v9.20.0

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/code16/sharp/security/advisories/GHSA-fr76-5637-w3g9

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-27T20:28:24Z/ Found at https://github.com/code16/sharp/security/advisories/GHSA-fr76-5637-w3g9

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://laravel.com/docs/13.x/filesystem

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-27T20:28:24Z/ Found at https://laravel.com/docs/13.x/filesystem

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-33687

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.06823
EPSS Score	0.00023
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T16:49:27.149790+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2026/33xxx/CVE-2026-33687.json	38.6.0