{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33687", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T16:34:59.932Z", "datePublished": "2026-03-26T21:47:55.573Z", "dateUpdated": "2026-03-27T20:28:53.385Z"}, "containers": {"cna": {"title": "Sharp has Unrestricted File Upload via Client-Controlled Validation Rules", "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/code16/sharp/security/advisories/GHSA-fr76-5637-w3g9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/code16/sharp/security/advisories/GHSA-fr76-5637-w3g9"}, {"name": "https://github.com/code16/sharp/pull/714", "tags": ["x_refsource_MISC"], "url": "https://github.com/code16/sharp/pull/714"}, {"name": "https://github.com/code16/sharp/releases/tag/v9.20.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/code16/sharp/releases/tag/v9.20.0"}, {"name": "https://laravel.com/docs/13.x/filesystem", "tags": ["x_refsource_MISC"], "url": "https://laravel.com/docs/13.x/filesystem"}], "affected": [{"vendor": "code16", "product": "sharp", "versions": [{"version": "< 9.20.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T21:53:26.004Z"}, "descriptions": [{"lang": "en", "value": "Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that allows authenticated users to bypass all file type restrictions. The upload endpoint within the `ApiFormUploadController` accepts a client-controlled `validation_rule` parameter. This parameter is directly passed into the Laravel validator without sufficient server-side enforcement. By intercepting the request and sending `validation_rule[]=file`, an attacker can completely bypass all MIME type and file extension restrictions. This issue has been addressed in version 9.20.0 by removing the client-controlled validation rules and strictly defining upload rules server-side. As a workaround, ensure that the storage disk used for Sharp uploads is strictly private. Under default configurations, an attacker cannot directly execute uploaded PHP files unless a public disk configuration is explicitly used."}], "source": {"advisory": "GHSA-fr76-5637-w3g9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T20:28:24.566534Z", "id": "CVE-2026-33687", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:28:53.385Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33687", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T20:28:24.566534Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:28:45.553Z"}}], "cna": {"title": "Sharp has Unrestricted File Upload via Client-Controlled Validation Rules", "source": {"advisory": "GHSA-fr76-5637-w3g9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "code16", "product": "sharp", "versions": [{"status": "affected", "version": "< 9.20.0"}]}], "references": [{"url": "https://github.com/code16/sharp/security/advisories/GHSA-fr76-5637-w3g9", "name": "https://github.com/code16/sharp/security/advisories/GHSA-fr76-5637-w3g9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/code16/sharp/pull/714", "name": "https://github.com/code16/sharp/pull/714", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/code16/sharp/releases/tag/v9.20.0", "name": "https://github.com/code16/sharp/releases/tag/v9.20.0", "tags": ["x_refsource_MISC"]}, {"url": "https://laravel.com/docs/13.x/filesystem", "name": "https://laravel.com/docs/13.x/filesystem", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that allows authenticated users to bypass all file type restrictions. The upload endpoint within the `ApiFormUploadController` accepts a client-controlled `validation_rule` parameter. This parameter is directly passed into the Laravel validator without sufficient server-side enforcement. By intercepting the request and sending `validation_rule[]=file`, an attacker can completely bypass all MIME type and file extension restrictions. This issue has been addressed in version 9.20.0 by removing the client-controlled validation rules and strictly defining upload rules server-side. As a workaround, ensure that the storage disk used for Sharp uploads is strictly private. Under default configurations, an attacker cannot directly execute uploaded PHP files unless a public disk configuration is explicitly used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T21:53:26.004Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33687", "state": "PUBLISHED", "dateUpdated": "2026-03-27T20:28:53.385Z", "dateReserved": "2026-03-23T16:34:59.932Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T21:47:55.573Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that allows authenticated users to bypass all file type restrictions. The upload endpoint within the `ApiFormUploadController` accepts a client-controlled `validation_rule` parameter. This parameter is directly passed into the Laravel validator without sufficient server-side enforcement. By intercepting the request and sending `validation_rule[]=file`, an attacker can completely bypass all MIME type and file extension restrictions. This issue has been addressed in version 9.20.0 by removing the client-controlled validation rules and strictly defining upload rules server-side. As a workaround, ensure that the storage disk used for Sharp uploads is strictly private. Under default configurations, an attacker cannot directly execute uploaded PHP files unless a public disk configuration is explicitly used."}], "id": "CVE-2026-33687", "lastModified": "2026-03-26T22:16:31.203", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-26T22:16:31.203", "references": [{"source": "[email protected]", "url": "https://github.com/code16/sharp/pull/714"}, {"source": "[email protected]", "url": "https://github.com/code16/sharp/releases/tag/v9.20.0"}, {"source": "[email protected]", "url": "https://github.com/code16/sharp/security/advisories/GHSA-fr76-5637-w3g9"}, {"source": "[email protected]", "url": "https://laravel.com/docs/13.x/filesystem"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "[email protected]", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.20.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "sharp", "source": "cna", "vendor": "code16"}, "product": "sharp", "vendor": "code16"}], "analysis": {"en": {"generated_at": "2026-03-26T23:51:32.166285+00:00", "value": {"mitigation_remediation": ["Update Sharp to version 9.20.0 or later to remove client\u2011controlled validation rules", "If the upgrade is not possible, configure the Sharp upload storage disk as private so that uploaded PHP or other executable files cannot be served directly", "Verify that any publicly accessible upload directories are protected and monitor upload logs for unexpected file types", "Enforce stricter MIME type and extension checks on the server side if custom upload handling is implemented"], "summary": {"action": "Patch Immediately", "impact": "Unrestricted File Upload"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Sharp content\u2011management framework distributed by code16. All releases prior to version 9.20.0 are vulnerable. Any Laravel application that includes Sharp and uses its default upload endpoint exposes users who are authenticated to the system.", "description_and_impact": "Sharp\u2019s file upload endpoint accepts a client\u2011controlled validation_rule parameter that is passed directly to Laravel\u2019s validator with no server\u2011side enforcement. Because an authenticated user can set validation_rule[]=file, the original file type and MIME type restrictions are completely bypassed, allowing the upload of any file type. While the default configuration does not execute PHP files unless a public disk is used, the ability to upload arbitrary files can compromise confidentiality and integrity if the upload location is misconfigured or later exploited.", "risk_and_exploitability": "The CVSS score of 8.8 classifies this issue as high severity. No EPSS score is available and it is not listed in CISA\u2019s KEV catalog, yet the vulnerability remains exploitable because it only requires authenticated access\u2014a capability often granted to normal users in CMS environments. The exploit chain involves crafting a request that includes validation_rule[]=file; this enables the attacker to upload files without restriction, potentially leading to further compromise if the upload storage is publicly accessible or if other vulnerabilities are present."}}}}, "created": "2026-03-27T08:31:36.680428+00:00", "updated": "2026-03-27T09:23:02.414749+00:00", "vendors": ["code16", "code16$PRODUCT$sharp"]}