CVE-2026-33687 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: March 26, 2026
Sharp - Broken Access Control
Overview
Sharp < 9.20.0 contains a broken access control vulnerability caused by client-controlled validation_rule parameter in ApiFormUploadController file upload endpoint, letting authenticated users bypass file type restrictions.
Severity & Score
Impact
Authenticated attackers can bypass file type restrictions, potentially uploading malicious files leading to further compromise if public storage is used.
Mitigation
Update to version 9.20.0 or later.
References
Social Media Activity(2 posts)
š CVE-2026-33687 - High (8.8) Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that allows authenticated users to bypass all file type restrictions. The upload endpoint within t... š https://www.thehackerwire.com/vulnerability/CVE-2026-33687/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-33687 - High (8.8) Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that allows authenticated users to bypass all file type restrictions. The upload endpoint within t... š https://www.thehackerwire.com/vulnerability/CVE-2026-33687/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-33687
- Severity
- High
- CVSS Score
- 8.8
- Type
- broken_access_control
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-434
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H