CVE-2026-4809
Published: 26 March 2026
Summary
CVE-2026-4809 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validating the content of uploaded files beyond client-supplied MIME types to reject executable PHP code disguised as benign images.
Deploys malicious code protection at file upload entry points to scan and eradicate dangerous files like PHP shells before storage.
Restricts file uploads to organization-defined safe types and extensions, blocking dangerous PHP files irrespective of spoofed MIME types.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote attackers to exploit a public-facing Laravel web application via unrestricted file upload with dangerous types (e.g., PHP webshell), directly enabling T1190: Exploit Public-Facing Application for initial access and potential RCE.
NVD Description
plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing…
more
executable PHP code while declaring a benign image MIME type, resulting in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, this may lead to remote code execution. At the time of publication, no patch was available and the vendor had not responded to coordinated disclosure attempts.
Deeper analysisAI
CVE-2026-4809 is a vulnerability in the plank/laravel-mediable package through version 6.4.0, a Laravel media handling library. It enables the upload of dangerous file types when an application using the package accepts or prefers a client-supplied MIME type during file upload processing. This flaw, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
A remote attacker with network access can exploit this vulnerability without authentication or user interaction by submitting a file containing executable PHP code while declaring a benign image MIME type. This results in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, it may lead to remote code execution on the server.
Published on 2026-03-26, the advisory notes that no patch was available at the time, and the vendor had not responded to coordinated disclosure attempts. Relevant references include the project repository at https://github.com/plank/laravel-mediable and the 6.4.0 release page at https://github.com/plank/laravel-mediable/releases/tag/6.4.0, which security practitioners should monitor for updates or patches.
Details
- CWE(s)