CVE-2026-49969
HIGH SEVERITYCVSS Score & Metrics
Base Score
7.4 / 10
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Vulnerability Description
Laravel-Mediable before 7.0.0 contains a server-side request forgery vulnerability that allows remote attackers to issue arbitrary HTTP requests from the server by supplying unvalidated caller-controlled URLs to endpoints backed by MediaUploader::fromSource(). Attackers can craft URLs targeting RFC-1918 addresses, loopback interfaces, cloud metadata endpoints, or file:// URIs through RemoteUrlAdapter to reach internal infrastructure, retrieve sensitive files, and exfiltrate cloud credentials such as IAM tokens from instance metadata services.
Vulnerability Details
Published Date
Last Modified
CWE ID
CWE-918
Source
NVD
Vendor
plank
Product
laravel-mediable
Discussion (0)
Add Comment
No comments yet. Be the first!