CVE-2026-33687
Published: 26 March 2026
Summary
CVE-2026-33687 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Code16 Sharp. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces server-side validation of client-controlled parameters like validation_rule and file metadata to directly prevent bypass of MIME type and extension restrictions in the upload endpoint.
Restricts file upload inputs at application boundaries to only organization-defined valid types, blocking arbitrary file uploads regardless of manipulated validation rules.
Detects and eradicates malicious code such as PHP shells in uploaded files, mitigating the impact of unrestricted file uploads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload (CWE-434) in web app endpoint directly enables exploitation of public-facing application to deploy PHP web shells.
NVD Description
Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that allows authenticated users to bypass all file type restrictions. The upload endpoint within the `ApiFormUploadController`…
more
accepts a client-controlled `validation_rule` parameter. This parameter is directly passed into the Laravel validator without sufficient server-side enforcement. By intercepting the request and sending `validation_rule[]=file`, an attacker can completely bypass all MIME type and file extension restrictions. This issue has been addressed in version 9.20.0 by removing the client-controlled validation rules and strictly defining upload rules server-side. As a workaround, ensure that the storage disk used for Sharp uploads is strictly private. Under default configurations, an attacker cannot directly execute uploaded PHP files unless a public disk configuration is explicitly used.
Deeper analysisAI
Sharp, a content management framework built as a Laravel package, contains a vulnerability in versions prior to 9.20.0 within the file upload endpoint of the ApiFormUploadController. The endpoint accepts a client-controlled validation_rule parameter, which is passed directly to the Laravel validator without adequate server-side enforcement. This allows attackers to bypass all MIME type and file extension restrictions by intercepting requests and setting validation_rule[]=file, enabling unrestricted file uploads (CWE-434).
Authenticated users with low privileges can exploit this vulnerability remotely with low attack complexity and no user interaction required (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, score 8.8). Successful exploitation permits uploading arbitrary files, potentially including malicious executables like PHP shells, though under default configurations, direct execution is prevented unless a public storage disk is explicitly configured.
The issue is addressed in Sharp version 9.20.0, which removes client-controlled validation rules and enforces strict server-side upload rules. As a workaround, configure the storage disk for Sharp uploads to be strictly private. Relevant resources include the GitHub pull request at https://github.com/code16/sharp/pull/714, release notes at https://github.com/code16/sharp/releases/tag/v9.20.0, security advisory at https://github.com/code16/sharp/security/advisories/GHSA-fr76-5637-w3g9, and Laravel filesystem documentation at https://laravel.com/docs/13.x/filesystem.
Details
- CWE(s)