{"id":"CVE-2026-33687","summary":"Sharp has Unrestricted File Upload via Client-Controlled Validation Rules","details":"Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that allows authenticated users to bypass all file type restrictions. The upload endpoint within the `ApiFormUploadController` accepts a client-controlled `validation_rule` parameter. This parameter is directly passed into the Laravel validator without sufficient server-side enforcement. By intercepting the request and sending `validation_rule[]=file`, an attacker can completely bypass all MIME type and file extension restrictions. This issue has been addressed in version 9.20.0 by removing the client-controlled validation rules and strictly defining upload rules server-side. As a workaround, ensure that the storage disk used for Sharp uploads is strictly private. Under default configurations, an attacker cannot directly execute uploaded PHP files unless a public disk configuration is explicitly used.","aliases":["GHSA-fr76-5637-w3g9"],"modified":"2026-04-10T05:42:56.589255Z","published":"2026-03-26T21:47:55.573Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-434"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33687.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33687.json"},{"type":"FIX","url":"https://github.com/code16/sharp/pull/714"},{"type":"WEB","url":"https://github.com/code16/sharp/releases/tag/v9.20.0"},{"type":"ADVISORY","url":"https://github.com/code16/sharp/security/advisories/GHSA-fr76-5637-w3g9"},{"type":"WEB","url":"https://laravel.com/docs/13.x/filesystem"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33687"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/code16/sharp","events":[{"introduced":"0"},{"fixed":"6c4dda66863adc067152148dff5c2f56aaa2c343"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"9.20.0"}]}}],"versions":["7.7.2","v4.0-BETA3","v4.0-BETA6","v4.0.0","v4.0.11","v4.0.12","v4.0.13","v4.0.14","v4.0.19","v4.0.20","v4.0.5","v4.0.7","v4.0.8","v4.1.0","v4.1.1","v4.1.11","v4.1.13","v4.1.15","v4.1.16","v4.1.2","v4.1.3","v4.1.4","v4.1.5","v4.1.6","v4.1.7","v4.1.8","v4.2.0","v4.2.3","v4.2.4","v4.2.5","v4.2.6","v5.0.0","v5.1.0","v5.1.1","v5.1.2","v5.3.0","v5.3.1","v5.3.2","v5.3.3","v5.4.0","v5.4.1","v5.4.2","v5.4.3","v5.4.4","v5.4.5","v6.0.0","v6.0.1","v6.1.0","v6.1.2","v6.1.3","v6.1.4","v6.1.5","v6.2.0","v6.3.0","v6.3.1","v6.3.2","v6.3.3","v6.4.0","v6.4.1","v6.5.0","v6.5.1","v6.5.2","v6.5.3","v6.5.4","v7.0.0","v7.0.1","v7.0.2","v7.1.0","v7.10.0","v7.11.0","v7.12.0","v7.13.0","v7.14.0","v7.16.0","v7.17.0","v7.17.1","v7.17.2","v7.17.3","v7.19.0","v7.19.1","v7.2.0","v7.2.1","v7.2.2","v7.2.3","v7.2.4","v7.2.5","v7.20.0","v7.21.0","v7.22.0","v7.23.0","v7.23.2","v7.24.0","v7.25.0","v7.25.1","v7.25.2","v7.26.0","v7.26.1","v7.26.2","v7.27.0","v7.27.1","v7.28.0","v7.29.1","v7.29.2","v7.29.3","v7.29.4","v7.29.5","v7.29.6","v7.3.0","v7.4.0","v7.5.0","v7.5.1","v7.5.2","v7.6.0","v7.7.0","v7.7.1","v7.8.0","v7.9.0","v8.0.0","v8.0.1","v8.0.2","v8.0.3","v8.0.6","v8.0.7","v8.1.0","v8.1.2","v8.2.0","v8.2.1","v8.3.1","v8.3.4","v8.3.5","v8.3.6","v8.3.7","v8.4.0","v8.4.1","v8.4.2","v8.4.3","v8.4.4","v8.5.0","v8.6.0","v8.6.1","v9.0.3","v9.0.5","v9.1.0","v9.10.0","v9.10.1","v9.10.2","v9.11.0","v9.11.1","v9.12.0","v9.13.0","v9.14.0","v9.14.1","v9.14.2","v9.14.3","v9.15.0","v9.15.1","v9.16.1","v9.17.0","v9.17.1","v9.19.0","v9.19.1","v9.19.2","v9.19.3","v9.2.0","v9.2.2","v9.2.3","v9.2.4","v9.2.5","v9.2.7","v9.2.8","v9.3.1","v9.3.4","v9.3.7","v9.4.0","v9.4.1","v9.5.0","v9.5.1","v9.5.2","v9.6.2","v9.6.3","v9.6.4","v9.6.5","v9.6.6","v9.7.0","v9.7.2","v9.7.3","v9.8.1","v9.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33687.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}