Back to CVE List

CVE-2026-49969

HIGH SEVERITY

CVSS Score & Metrics

Base Score
7.4 / 10
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Vulnerability Description

Laravel-Mediable before 7.0.0 contains a server-side request forgery vulnerability that allows remote attackers to issue arbitrary HTTP requests from the server by supplying unvalidated caller-controlled URLs to endpoints backed by MediaUploader::fromSource(). Attackers can craft URLs targeting RFC-1918 addresses, loopback interfaces, cloud metadata endpoints, or file:// URIs through RemoteUrlAdapter to reach internal infrastructure, retrieve sensitive files, and exfiltrate cloud credentials such as IAM tokens from instance metadata services.

Vulnerability Details

Published Date
Last Modified
CWE ID
CWE-918
Source
NVD
Vendor
plank
Product
laravel-mediable

External References

Discussion (0)

Add Comment

No comments yet. Be the first!