CVE-2026-48555 PUBLISHED

Spatie Laravel Media Library < 11.23.0 SSRF via addMediaFromUrl()

Assigner: VulnCheck
Reserved: 21.05.2026 Published: 29.05.2026 Updated: 29.05.2026

Spatie Laravel Media Library before version 11.23.0 contains a server-side request forgery vulnerability that allows remote attackers to cause the server to issue arbitrary outbound HTTP requests by passing user-controlled URLs to the addMediaFromUrl() method in InteractsWithMedia.php.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
CVSS Score: 5.3

Product Status

Vendor spatie
Product laravel-medialibrary
Versions Default: affected
  • affected from 0 to 11.23.0 (excl.)

Credits

  • Xurshidbek Sobirjonov finder
  • VulnCheck finder

References

Problem Types

  • Server-Side Request Forgery (SSRF) CWE