VYPR
Vendor

Spatie

Products
4
CVEs
10
Across products
10
Status
Private

Products

4

Recent CVEs

10
  • CVE-2021-45040CriMar 17, 2022
    risk 0.64cvss 9.8epss 0.03

    The Spatie media-library-pro library through 1.17.10 and 2.x through 2.1.6 for Laravel allows remote attackers to upload executable files via the uploads route.

  • CVE-2025-3192HigApr 4, 2025
    risk 0.53cvss 8.2epss 0.00

    Versions of the package spatie/browsershot from 0.0.0 are vulnerable to Server-side Request Forgery (SSRF) in the setUrl() function due to a missing restriction on user input, enabling attackers to access localhost and list all of its directories.

  • CVE-2026-48557HigMay 29, 2026
    risk 0.50cvss 8.8epss 0.00

    Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer(). The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo()…

  • CVE-2024-34515HigMay 5, 2024
    risk 0.50cvss 8.8epss 0.02

    image-optimizer before 1.7.3 allows PHAR deserialization, e.g., the phar:// protocol in arguments to file_exists().

  • CVE-2025-1026HigFeb 5, 2025
    risk 0.49cvss 8.6epss 0.01

    Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method, which results in a Local File Inclusion allowing the attacker to read sensitive files. **Note:** This is a bypass of…

  • CVE-2024-21549HigDec 20, 2024
    risk 0.49cvss 8.6epss 0.01

    Versions of the package spatie/browsershot before 5.0.3 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method. An attacker can exploit this vulnerability by utilizing view-source:file://, which allows for arbitrary file reading on a…

  • CVE-2024-21544HigDec 13, 2024
    risk 0.49cvss 8.6epss 0.01

    Versions of the package spatie/browsershot before 5.0.1 are vulnerable to Improper Input Validation due to improper URL validation in the setUrl method. An attacker can exploit this vulnerability by using leading whitespace (%20) before the file:// protocol, resulting in Local…

  • CVE-2025-1022HigFeb 5, 2025
    risk 0.46cvss 8.2epss 0.00

    Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation in the setHtml function, invoked by Browsershot::html(), which can be bypassed by omitting the slashes in the file URI (e.g., file:../../../../etc/passwd). This is due to missing…

  • CVE-2024-21547HigDec 18, 2024
    risk 0.42cvss 7.5epss 0.01

    Versions of the package spatie/browsershot before 5.0.2 are vulnerable to Directory Traversal due to URI normalisation in the browser where the file:// check can be bypassed with file:\\. An attacker could read any file on the server by exploiting the normalization of \ into /.

  • CVE-2026-48555HigMay 29, 2026
    risk 0.41cvss 7.4epss 0.00

    Spatie Laravel Media Library before version 11.23.0 contains a server-side request forgery vulnerability that allows remote attackers to cause the server to issue arbitrary outbound HTTP requests by passing user-controlled URLs to the addMediaFromUrl() method in…