What is CVE-2026-4809?

CVE-2026-4809 is a critical severity vulnerability classified under CWE-434 (Unrestricted Upload). CVE-2026-4809: Unrestricted File Upload in plank/laravel-mediable

How do I fix CVE-2026-4809?

Apply the vendor patch immediately. Additionally, implement defenses against Unrestricted Upload by following secure coding practices. Use Precogs AI to scan your codebase for similar vulnerabilities.

CVE-2026-4809

CVE-2026-4809: Unrestricted File Upload in plank/laravel-mediable

Verified by Precogs Threat Research

Last Updated: Mar 26, 2026

Base Score

CRITICAL

Executive Summary

CVE-2026-4809 is a critical severity vulnerability affecting software systems. It is classified as Unrestricted Upload. Ensure your systems and dependencies are patched immediately to mitigate exposure risks.

Precogs AI Insight

"Precogs AI detected this vulnerability pattern in Unrestricted Upload implementations. The pattern deviates from documented secure coding standards, suggesting a high likelihood of exploitation if unpatched."

Exploit Probability

High (84%)

Public POC

Available

Exploit Probability

High (84%)

Public POC

Available

Affected Assets

CWE-434

Summary

A critical unrestricted file upload vulnerability (CVE-2026-4809) has been identified in the plank/laravel-mediable package affecting versions through 6. The package fails to properly validate file types and extensions during upload operations, resulting in an Unrestricted Upload of File with Dangerous Type (CWE-434).

Technical Details

The issue is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The laravel-mediable package handles media uploads in Laravel applications but trusts client-supplied Content-Type headers instead of performing server-side file inspection. The final file extension is not whitelisted against safe formats.

When the application stores media files in a publicly accessible directory (e.g., /public/media/), an uploaded PHP payload will execute under the context of the web server user.

Exploitation Context

Vector: Remote / Network-based
Authentication: Not required
Complexity: Low
Impact: High (Confidentiality, Integrity, and Availability)

An attacker crafts a malicious PHP web shell, submits a multipart form upload with a manipulated Content-Type: image/jpeg header, and the vulnerable package writes payload.php to disk. Navigating to the uploaded file achieves full RCE.

Remediation

Users of plank/laravel-mediable should immediately:

Upgrade to the latest patched version (7.0 or the backported security patch for 6.x) which enforces robust server-side file inspection and strict extension whitelists.
Configure the web server to prevent execution of server-side scripts in upload directories (e.g., Nginx deny all rules for .php files in media paths).
Offload media uploads to cloud storage (e.g., AWS S3) which does not execute PHP scripts, completely neutralizing the RCE vector.

Precogs AI Integration

The Precogs AI Code Security Platform automatically detects unrestricted file upload paths by tracing data flow from HTTP controllers to local disk writing sinks. By analyzing the Abstract Syntax Tree (AST), Precogs ensures that robust validation occurs before any file touches the disk, catching CWE-434 patterns during the CI/CD pipeline.

Related Vulnerabilitiesvia CWE-434

View all CWE-434 vulnerabilities →