CVE-2026-33686
Published: 26 March 2026
Summary
CVE-2026-33686 is a high-severity Path Traversal (CWE-22) vulnerability in Code16 Sharp. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validating filename inputs to block path traversal sequences like directory separators in extensions before they reach the storage layer.
Mandates identifying and correcting flaws such as the improper strrpos-based extension extraction in Sharp's FileUtil by applying patches like version 9.20.0.
Requires vulnerability scanning of applications and packages like Sharp to detect path traversal issues like CVE-2026-33686 and trigger remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vuln in web CMS directly enables exploitation of public-facing app (T1190) for unauthorized file read (T1005) and deletion (T1070.004) outside intended storage scope.
NVD Description
Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability in the FileUtil class. The application fails to sanitize file extensions properly, allowing path separators to be passed into…
more
the storage layer. In `src/Utils/FileUtil.php`, the `FileUtil::explodeExtension()` function extracts a file's extension by splitting the filename at the last dot. This issue has been patched in version 9.20.0 by properly sanitizing the extension using `pathinfo(PATHINFO_EXTENSION)` instead of `strrpos()`, alongside applying strict regex replacements to both the base name and the extension.
Deeper analysisAI
CVE-2026-33686 is a path traversal vulnerability (CWE-22) affecting Sharp, a content management framework built as a package for Laravel. Versions prior to 9.20.0 are vulnerable due to improper sanitization of file extensions in the FileUtil class, specifically in the `FileUtil::explodeExtension()` function within `src/Utils/FileUtil.php`. This function extracts a file's extension by splitting the filename at the last dot, allowing path separators to bypass validation and reach the storage layer. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with low privileges, such as an authenticated user, can exploit this over the network with low complexity and no user interaction required. By crafting filenames with path separators in the extension, the attacker can traverse directories in the storage layer, potentially achieving high-impact unauthorized access to read, modify, or delete files outside the intended scope.
The issue was patched in Sharp version 9.20.0 by replacing the vulnerable `strrpos()` logic with `pathinfo(PATHINFO_EXTENSION)` for proper extension sanitization, along with strict regex replacements applied to both the base name and extension. Additional details are available in the GitHub security advisory (GHSA-9ffq-6457-8958) and the patching pull request (#715).
Details
- CWE(s)