Cyber Resilience

CVE-2026-33687

High

Published: 26 March 2026

Published
26 March 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0051 39.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33687 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Code16 Sharp. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).

Deeper analysis

Sharp, a content management framework built as a Laravel package, contains a vulnerability in versions prior to 9.20.0 within the file upload endpoint of the ApiFormUploadController. The endpoint accepts a client-controlled validation_rule parameter, which is passed directly to the Laravel validator without adequate server-side enforcement. This allows attackers to bypass all MIME type and file extension restrictions by intercepting requests and setting validation_rule[]=file, enabling unrestricted file uploads (CWE-434).

Authenticated users with low privileges can exploit this vulnerability remotely with low attack complexity and no user interaction required (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, score 8.8). Successful exploitation permits uploading arbitrary files, potentially including malicious executables like PHP shells, though under default configurations, direct execution is prevented unless a public storage disk is explicitly configured.

The issue is addressed in Sharp version 9.20.0, which removes client-controlled validation rules and enforces strict server-side upload rules. As a workaround, configure the storage disk for Sharp uploads to be strictly private. Relevant resources include the GitHub pull request at https://github.com/code16/sharp/pull/714, release notes at https://github.com/code16/sharp/releases/tag/v9.20.0, security advisory at https://github.com/code16/sharp/security/advisories/GHSA-fr76-5637-w3g9, and Laravel filesystem documentation at https://laravel.com/docs/13.x/filesystem.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that allows authenticated users to bypass all file type restrictions. The upload endpoint within the `ApiFormUploadController`…

more

accepts a client-controlled `validation_rule` parameter. This parameter is directly passed into the Laravel validator without sufficient server-side enforcement. By intercepting the request and sending `validation_rule[]=file`, an attacker can completely bypass all MIME type and file extension restrictions. This issue has been addressed in version 9.20.0 by removing the client-controlled validation rules and strictly defining upload rules server-side. As a workaround, ensure that the storage disk used for Sharp uploads is strictly private. Under default configurations, an attacker cannot directly execute uploaded PHP files unless a public disk configuration is explicitly used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload (CWE-434) in web app endpoint directly enables exploitation of public-facing application to deploy PHP web shells.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33686Same product: Code16 Sharp
CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434
CVE-2023-53956Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2021-47819Shared CWE-434
CVE-2025-7852Shared CWE-434
CVE-2026-4883Shared CWE-434

Affected Assets

code16
sharp
≤ 9.20.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces server-side validation of client-controlled parameters like validation_rule and file metadata to directly prevent bypass of MIME type and extension restrictions in the upload endpoint.

prevent

Restricts file upload inputs at application boundaries to only organization-defined valid types, blocking arbitrary file uploads regardless of manipulated validation rules.

preventdetect

Detects and eradicates malicious code such as PHP shells in uploaded files, mitigating the impact of unrestricted file uploads.

References