CVE-2026-33686

Summary

A path traversal vulnerability exists in the FileUtil class of the code16/sharp package. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer.

Detail

In src/Utils/FileUtil.php, the FileUtil::explodeExtension() function extracts a file's extension by splitting the filename at the last dot. However, the extracted extension is never sanitized. While the application uses a normalizeName() function, this function only cleans the base filename, meaning any path separators (such as /) injected into the extension will survive and be passed into the storeAs() function.

Impact

Exploiting this flaw allows an authenticated attacker to manipulate file paths:

• Files can be written outside of the intended tmp directory via path traversal. For more details on the package, visit: https://github.com/code16/sharp
• Existing critical files (such as .env or configuration files) could potentially be overwritten. Review the CWE definition here: https://cwe.mitre.org/data/definitions/22.html (Note: This vulnerability was successfully chained with CWE-434 in a local Proof of Concept to confirm the traversal.)

Patches

This issue has been patched by properly sanitizing the extension using pathinfo(PATHINFO_EXTENSION) instead of strrpos(), alongside applying strict regex replacements to both the base name and the extension. The fix is available in pull request #715

Credits

Reported by zaurgsynv.