CVE-2026-33687 is a high-severity vulnerability (CVSS 8.8) in the Sharp package for Laravel, affecting versions before 9.20.0. The vulnerability is due to insufficient server-side enforcement of file upload validation rules. Specifically, the ApiFormUploadController's upload endpoint accepts a client-controlled validation_rule parameter, which is passed unchecked into Laravel's validator. By sending validation_rule[]=file, an authenticated attacker can bypass all file type restrictions, potentially uploading dangerous file types. The issue is fixed in version 9.20.0 by removing client control over validation rules and strictly defining upload rules server-side. The default configuration mitigates direct execution risks by using private storage disks, but public disk configurations remain vulnerable.

An authenticated user can bypass all file type restrictions on file uploads, potentially allowing the upload of dangerous file types. This could lead to high impact including full confidentiality, integrity, and availability compromise as indicated by the CVSS vector (C:H/I:H/A:H). However, direct execution of uploaded PHP files is prevented under default private storage disk configurations. If a public disk is used, the risk of remote code execution increases.

Upgrade Sharp to version 9.20.0 or later, where the vulnerability is fixed by removing client-controlled validation rules and enforcing strict server-side upload validation. As a workaround, ensure that the storage disk used for uploads is configured as strictly private to prevent direct execution of uploaded files. Avoid using public disk configurations for file storage. Patch status is not explicitly stated as 'patchAvailable' but the vendor fixed the issue in version 9.20.0, so upgrading to this version or later is the official fix.