Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer(). The sanitizer checks only the fi…

CVE-2026-48557 affects Spatie Laravel Media Library versions before 11.23.0, containing a file upload restriction bypass vulnerability in the FileAdder::defaultSanitizer() function. The vulnerability allows attackers to bypass security controls through two methods: using double-extension filenames like shell.php.jpg that exploit how pathinfo() processes filenames, and exploiting an incomplete blocklist that omits executable extensions such as .php6, .shtml, and .htaccess. The double-extension bypass requires legacy Apache AddHandler configuration for PHP execution, while the incomplete blocklist bypass works without additional server configuration. This vulnerability enables potential remote code execution through malicious file uploads.