{"id":"CVE-2026-33686","summary":"Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil","details":"Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability  in the FileUtil class. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer. In `src/Utils/FileUtil.php`, the `FileUtil::explodeExtension()` function extracts a file's extension by splitting the filename at the last dot. This issue has been patched in version 9.20.0 by properly sanitizing the extension using `pathinfo(PATHINFO_EXTENSION)` instead of `strrpos()`, alongside applying strict regex replacements to both the base name and the extension.","aliases":["GHSA-9ffq-6457-8958"],"modified":"2026-04-10T05:42:53.628166Z","published":"2026-03-26T21:54:25.294Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33686.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-22"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33686.json"},{"type":"FIX","url":"https://github.com/code16/sharp/pull/715"},{"type":"ADVISORY","url":"https://github.com/code16/sharp/security/advisories/GHSA-9ffq-6457-8958"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33686"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/code16/sharp","events":[{"introduced":"0"},{"fixed":"6c4dda66863adc067152148dff5c2f56aaa2c343"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"9.20.0"}]}}],"versions":["7.7.2","v4.0-BETA3","v4.0-BETA6","v4.0.0","v4.0.11","v4.0.12","v4.0.13","v4.0.14","v4.0.19","v4.0.20","v4.0.5","v4.0.7","v4.0.8","v4.1.0","v4.1.1","v4.1.11","v4.1.13","v4.1.15","v4.1.16","v4.1.2","v4.1.3","v4.1.4","v4.1.5","v4.1.6","v4.1.7","v4.1.8","v4.2.0","v4.2.3","v4.2.4","v4.2.5","v4.2.6","v5.0.0","v5.1.0","v5.1.1","v5.1.2","v5.3.0","v5.3.1","v5.3.2","v5.3.3","v5.4.0","v5.4.1","v5.4.2","v5.4.3","v5.4.4","v5.4.5","v6.0.0","v6.0.1","v6.1.0","v6.1.2","v6.1.3","v6.1.4","v6.1.5","v6.2.0","v6.3.0","v6.3.1","v6.3.2","v6.3.3","v6.4.0","v6.4.1","v6.5.0","v6.5.1","v6.5.2","v6.5.3","v6.5.4","v7.0.0","v7.0.1","v7.0.2","v7.1.0","v7.10.0","v7.11.0","v7.12.0","v7.13.0","v7.14.0","v7.16.0","v7.17.0","v7.17.1","v7.17.2","v7.17.3","v7.19.0","v7.19.1","v7.2.0","v7.2.1","v7.2.2","v7.2.3","v7.2.4","v7.2.5","v7.20.0","v7.21.0","v7.22.0","v7.23.0","v7.23.2","v7.24.0","v7.25.0","v7.25.1","v7.25.2","v7.26.0","v7.26.1","v7.26.2","v7.27.0","v7.27.1","v7.28.0","v7.29.1","v7.29.2","v7.29.3","v7.29.4","v7.29.5","v7.29.6","v7.3.0","v7.4.0","v7.5.0","v7.5.1","v7.5.2","v7.6.0","v7.7.0","v7.7.1","v7.8.0","v7.9.0","v8.0.0","v8.0.1","v8.0.2","v8.0.3","v8.0.6","v8.0.7","v8.1.0","v8.1.2","v8.2.0","v8.2.1","v8.3.1","v8.3.4","v8.3.5","v8.3.6","v8.3.7","v8.4.0","v8.4.1","v8.4.2","v8.4.3","v8.4.4","v8.5.0","v8.6.0","v8.6.1","v9.0.3","v9.0.5","v9.1.0","v9.10.0","v9.10.1","v9.10.2","v9.11.0","v9.11.1","v9.12.0","v9.13.0","v9.14.0","v9.14.1","v9.14.2","v9.14.3","v9.15.0","v9.15.1","v9.16.1","v9.17.0","v9.17.1","v9.19.0","v9.19.1","v9.19.2","v9.19.3","v9.2.0","v9.2.2","v9.2.3","v9.2.4","v9.2.5","v9.2.7","v9.2.8","v9.3.1","v9.3.4","v9.3.7","v9.4.0","v9.4.1","v9.5.0","v9.5.1","v9.5.2","v9.6.2","v9.6.3","v9.6.4","v9.6.5","v9.6.6","v9.7.0","v9.7.2","v9.7.3","v9.8.1","v9.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33686.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}