GHSA-fr76-5637-w3g9

Suggest an improvement
Source
https://github.com/advisories/GHSA-fr76-5637-w3g9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-fr76-5637-w3g9/GHSA-fr76-5637-w3g9.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-fr76-5637-w3g9
Aliases
Published
2026-03-25T20:00:24Z
Modified
2026-03-27T21:49:57.246160Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Sharp has Unrestricted File Upload via Client-Controlled Validation Rules
Details

Summary

The code16/sharp Laravel admin panel package contains a vulnerability in its file upload endpoint that allows authenticated users to bypass all file type restrictions.

Details

The upload endpoint within the ApiFormUploadController accepts a client-controlled validation_rule parameter. This parameter is directly passed into the Laravel validator without sufficient server-side enforcement. By intercepting the request and sending validation_rule[]=file, an attacker can completely bypass all MIME type and file extension restrictions. The vulnerable code is located in src/Http/Controllers/Api/ApiFormUploadController.php at line 24.

Impact

This vulnerability leads to several critical security risks:

Attackers can upload arbitrary files, including PHP webshells, to the server. For more details on the package, visit: https://github.com/code16/sharp

MIME type and extension validation can be bypassed entirely via client-controlled rules. Review the CWE definition here: https://cwe.mitre.org/data/definitions/434.html

If the storage disk is configured to be publicly accessible, this can lead to Remote Code Execution (RCE). See the vendor repository: https://github.com/code16/sharp

(Note: Under default configurations, executing uploaded PHP files directly is not possible unless a public disk configuration is in place.)

Patches

This issue has been addressed by removing the client-controlled validation rules and strictly defining upload rules server-side. The fix is available in pull request https://github.com/code16/sharp/pull/714.

Workarounds

  • Restrict Disk Access: Ensure that the storage disk used for Sharp uploads is strictly private. Under default configurations, an attacker cannot directly execute uploaded PHP files unless a public disk configuration is explicitly used. For more details on Laravel disk configurations, visit: https://laravel.com/docs/13.x/filesystem

Credits

Reported by zaurgsynv.

Database specific 
{
    "cwe_ids": [
        "CWE-434"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-25T20:00:24Z",
    "nvd_published_at": "2026-03-26T22:16:31Z",
    "severity": "HIGH"
}
References

Affected packages

Packagist / code16/sharp

Package

Name
code16/sharp
Purl
pkg:composer/code16/sharp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.20.0

Affected versions

v4.*
v4.0-BETA1
v4.0-BETA2
v4.0-BETA3
v4.0-BETA4
v4.0-BETA5
v4.0-BETA6
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.0.10
v4.0.11
v4.0.12
v4.0.13
v4.0.14
v4.0.15
v4.0.16
v4.0.17
v4.0.18
v4.0.19
v4.0.20
v4.0.21
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.1.8
v4.1.9
v4.1.10
v4.1.11
v4.1.12
v4.1.13
v4.1.14
v4.1.15
v4.1.16
v4.1.17
v4.1.18
v4.1.19
v4.1.20
v4.1.21
v4.1.22
v4.1.23
v4.1.24
v4.1.25
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.2.5
v4.2.6
v5.*
v5.0.0-alpha.1
v5.0.0-alpha.2
v5.0.0-alpha.3
v5.0.0-alpha.4
v5.0.0-alpha.5
v5.0.0-alpha.6
v5.0.0-alpha.7
v5.0.0-alpha.8
v5.0.0-alpha.9
v5.0.0-alpha.10
v5.0.0
v5.0.1
v5.1.0
v5.1.1
v5.1.2
v5.2.0
v5.3.0
v5.3.1
v5.3.2
v5.3.3
v5.3.4
v5.3.5
v5.4.0
v5.4.1
v5.4.2
v5.4.3
v5.4.4
v5.4.5
v5.4.6
v6.*
v6.0.0-alpha.1
v6.0.0-alpha.2
v6.0.0-alpha.3
v6.0.0-alpha.4
v6.0.0-alpha.5
v6.0.0-alpha.6
v6.0.0-alpha.7
v6.0.0-beta.1
v6.0.0-beta.2
v6.0.0-beta.3
v6.0.0
v6.0.1
v6.1.0
v6.1.1
v6.1.2
v6.1.3
v6.1.4
v6.1.5
v6.2.0
v6.3.0
v6.3.1
v6.3.2
v6.3.3
v6.4.0
v6.4.1
v6.5.0
v6.5.1
v6.5.2
v6.5.3
v6.5.4
v6.5.5
7.*
7.0.0-alpha.1
7.7.2
7.27.0
v7.*
v7.0.0-beta.1
v7.0.0-beta.2
v7.0.0-beta.3
v7.0.0-beta.4
v7.0.0-beta.5
v7.0.0-beta.6
v7.0.0
v7.0.1
v7.0.2
v7.1.0
v7.2.0
v7.2.1
v7.2.2
v7.2.3
v7.2.4
v7.2.5
v7.3.0
v7.4.0
v7.5.0
v7.5.1
v7.5.2
v7.6.0
v7.7.0
v7.7.1
v7.8.0
v7.9.0
v7.10.0
v7.11.0
v7.12.0
v7.13.0
v7.14.0
v7.15.0
v7.16.0
v7.17.0
v7.17.1
v7.17.2
v7.17.3
v7.18.0
v7.19.0
v7.19.1
v7.20.0
v7.21.0
v7.22.0
v7.23.0
v7.23.1
v7.23.2
v7.24.0
v7.24.1
v7.25.0
v7.25.1
v7.25.2
v7.26.0
v7.26.1
v7.26.2
v7.27.1
v7.28.0
v7.29.0
v7.29.1
v7.29.2
v7.29.3
v7.29.4
v7.29.5
v7.29.6
v7.29.7
v7.30.0
v8.*
v8.0.0
v8.0.1
v8.0.2
v8.0.3
v8.0.4
v8.0.5
v8.0.6
v8.0.7
v8.1.0
v8.1.1
v8.1.2
v8.2.0
v8.2.1
v8.3.0
v8.3.1
v8.3.2
v8.3.3
v8.3.4
v8.3.5
v8.3.6
v8.3.7
v8.4.0
v8.4.1
v8.4.2
v8.4.3
v8.4.4
v8.5.0
v8.6.0
v8.6.1
v9.*
v9.0.0-alpha.1
v9.0.0-alpha.2
v9.0.0-beta.1
v9.0.0-beta.2
v9.0.0-beta.3
v9.0.0-beta.4
v9.0.0-beta.5
v9.0.0-beta.6
v9.0.0-beta.7
v9.0.0-beta.8
v9.0.0-beta.9
v9.0.0-beta.10
v9.0.0-beta.11
v9.0.0-beta.12
v9.0.0-beta.13
v9.0.0-beta.14
v9.0.0-beta.15
v9.0.0-beta.16
v9.0.0-beta.17
v9.0.0
v9.0.1
v9.0.2
v9.0.3
v9.0.4
v9.0.5
v9.0.6
v9.0.7
v9.0.8
v9.0.9
v9.1.0
v9.1.1
v9.1.2
v9.2.0
v9.2.1
v9.2.2
v9.2.3
v9.2.4
v9.2.5
v9.2.6
v9.2.7
v9.2.8
v9.3.0
v9.3.1
v9.3.2
v9.3.3
v9.3.4
v9.3.5
v9.3.6
v9.3.7
v9.4.0
v9.4.1
v9.5.0
v9.5.1
v9.5.2
v9.6.0
v9.6.1
v9.6.2
v9.6.3
v9.6.4
v9.6.5
v9.6.6
v9.7.0
v9.7.1
v9.7.2
v9.7.3
v9.8.0
v9.8.1
v9.9.0
v9.10.0
v9.10.1
v9.10.2
v9.11.0
v9.11.1
v9.12.0
v9.13.0
v9.13.1
v9.14.0
v9.14.1
v9.14.2
v9.14.3
v9.14.4
v9.15.0
v9.15.1
v9.16.0
v9.16.1
v9.17.0
v9.17.1
v9.18.0
v9.19.0
v9.19.1
v9.19.2
v9.19.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-fr76-5637-w3g9/GHSA-fr76-5637-w3g9.json"