Attack Chain

1. An authenticated user logs into the Sharp Laravel admin panel.
2. The user navigates to a section of the application that utilizes the file upload functionality.
3. The user intercepts the HTTP request sent to the /api/form/upload endpoint.
4. The user modifies the request body, specifically the validation_rule parameter, setting it to validation_rule[]=file.
5. The modified request is sent to the server, bypassing MIME type and file extension checks.
6. The server processes the upload request, saving the arbitrary file (e.g., a PHP webshell) to the designated storage disk.
7. If the storage disk is publicly accessible, the attacker can access the uploaded file via a web browser.
8. The attacker executes the uploaded PHP webshell, achieving remote code execution (RCE) on the server.

Impact

Successful exploitation of this vulnerability allows attackers to upload arbitrary files, including PHP webshells, to the affected server. This can lead to Remote Code Execution (RCE) if the server’s storage disk is misconfigured to be publicly accessible. While default configurations prevent direct execution of uploaded PHP files, compromised servers can be leveraged for lateral movement, data exfiltration, or further malicious activities. This vulnerability impacts all installations of code16/sharp prior to version 9.20.0.

Recommendation

• Upgrade code16/sharp to version 9.20.0 or later to remediate CVE-2026-33687.
• Ensure that the storage disk used for Sharp uploads is strictly private, as described in the Laravel filesystem documentation (https://laravel.com/docs/13.x/filesystem).
• Deploy the Sigma rule “Detect Sharp File Upload Bypass Attempt” to identify attempts to exploit this vulnerability based on the validation_rule parameter.
• Monitor web server logs for suspicious file uploads to the /api/form/upload endpoint, correlating with user activity and file extensions.