{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33686", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T16:34:59.931Z", "datePublished": "2026-03-26T21:54:25.294Z", "dateUpdated": "2026-03-27T13:59:50.752Z"}, "containers": {"cna": {"title": "Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/code16/sharp/security/advisories/GHSA-9ffq-6457-8958", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/code16/sharp/security/advisories/GHSA-9ffq-6457-8958"}, {"name": "https://github.com/code16/sharp/pull/715", "tags": ["x_refsource_MISC"], "url": "https://github.com/code16/sharp/pull/715"}], "affected": [{"vendor": "code16", "product": "sharp", "versions": [{"version": "< 9.20.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T21:54:25.294Z"}, "descriptions": [{"lang": "en", "value": "Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability in the FileUtil class. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer. In `src/Utils/FileUtil.php`, the `FileUtil::explodeExtension()` function extracts a file's extension by splitting the filename at the last dot. This issue has been patched in version 9.20.0 by properly sanitizing the extension using `pathinfo(PATHINFO_EXTENSION)` instead of `strrpos()`, alongside applying strict regex replacements to both the base name and the extension."}], "source": {"advisory": "GHSA-9ffq-6457-8958", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:59:38.470602Z", "id": "CVE-2026-33686", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:59:50.752Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33686", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T13:59:38.470602Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:59:43.124Z"}}], "cna": {"title": "Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil", "source": {"advisory": "GHSA-9ffq-6457-8958", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "code16", "product": "sharp", "versions": [{"status": "affected", "version": "< 9.20.0"}]}], "references": [{"url": "https://github.com/code16/sharp/security/advisories/GHSA-9ffq-6457-8958", "name": "https://github.com/code16/sharp/security/advisories/GHSA-9ffq-6457-8958", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/code16/sharp/pull/715", "name": "https://github.com/code16/sharp/pull/715", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability in the FileUtil class. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer. In `src/Utils/FileUtil.php`, the `FileUtil::explodeExtension()` function extracts a file's extension by splitting the filename at the last dot. This issue has been patched in version 9.20.0 by properly sanitizing the extension using `pathinfo(PATHINFO_EXTENSION)` instead of `strrpos()`, alongside applying strict regex replacements to both the base name and the extension."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T21:54:25.294Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33686", "state": "PUBLISHED", "dateUpdated": "2026-03-27T13:59:50.752Z", "dateReserved": "2026-03-23T16:34:59.931Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T21:54:25.294Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:code16:sharp:*:*:*:*:*:*:*:*", "matchCriteriaId": "0D710527-04D5-4152-A28C-506356B95CE1", "versionEndExcluding": "9.20.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability in the FileUtil class. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer. In `src/Utils/FileUtil.php`, the `FileUtil::explodeExtension()` function extracts a file's extension by splitting the filename at the last dot. This issue has been patched in version 9.20.0 by properly sanitizing the extension using `pathinfo(PATHINFO_EXTENSION)` instead of `strrpos()`, alongside applying strict regex replacements to both the base name and the extension."}, {"lang": "es", "value": "Sharp es un framework de gesti\u00f3n de contenido construido para Laravel como un paquete. Las versiones anteriores a la 9.20.0 tienen una vulnerabilidad de salto de ruta en la clase FileUtil. La aplicaci\u00f3n no sanitiza las extensiones de archivo correctamente, permitiendo que los separadores de ruta se pasen a la capa de almacenamiento. En 'src/Utils/FileUtil.php', la funci\u00f3n 'FileUtil::explodeExtension()' extrae la extensi\u00f3n de un archivo dividiendo el nombre del archivo en el \u00faltimo punto. Este problema ha sido parcheado en la versi\u00f3n 9.20.0 sanitizando correctamente la extensi\u00f3n usando 'pathinfo(PATHINFO_EXTENSION)' en lugar de 'strrpos()', junto con la aplicaci\u00f3n de reemplazos de expresiones regulares estrictos tanto al nombre base como a la extensi\u00f3n."}], "id": "CVE-2026-33686", "lastModified": "2026-04-01T12:26:41.247", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T22:16:31.050", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/code16/sharp/pull/715"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/code16/sharp/security/advisories/GHSA-9ffq-6457-8958"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.20.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "sharp", "source": "cna", "vendor": "code16"}, "product": "sharp", "vendor": "code16"}], "analysis": {"en": {"generated_at": "2026-04-02T06:05:52.680294+00:00", "value": {"mitigation_remediation": ["Upgrade Sharp to version 9.20.0 or newer to apply the official extension sanitization patch.", "If an upgrade cannot be performed immediately, implement server\u2011side validation that rejects any filename containing directory separators or other illegal characters before it reaches FileUtil."], "summary": {"action": "Immediate Patch", "impact": "Path Traversal"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of code16\u2019s Sharp framework released before version 9.20.0. Versions 9.20.0 and later include a patch that sanitizes extensions using pathinfo and strict regex checks.", "description_and_impact": "Sharp, a Laravel content\u2011management package, contains a path traversal flaw in its FileUtil class. The explodeExtension function extracts a file's extension by splitting on the last dot without sanitizing the result, allowing directory separators to be embedded in the extension. An attacker who can provide a crafted filename is able to cause the framework to read or write files outside the intended storage directory, potentially exposing sensitive data, overwriting critical configuration files, or escalating privileges according to the web server\u2019s permissions.", "risk_and_exploitability": "The CVSS score for this flaw is 8.8, indicating high severity. The EPSS score is below 1\u202f%, suggesting a low likelihood of widespread exploitation at present. It is not listed in the CISA KEV catalog. Based on the description, the most likely attack vector involves exploiting file\u2011upload or file\u2011download functions that pass user\u2011supplied filenames through FileUtil, allowing an attacker to supply a malicious filename that manipulates the extension field."}}}}, "created": "2026-03-27T08:31:35.740844+00:00", "updated": "2026-04-02T07:56:09.374560+00:00", "vendors": ["code16", "code16$PRODUCT$sharp"]}