GHSA-f3cx-396f-7jqp

In livewire/livewire prior to `v2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a “.php” file extension.
If the following criteria are met, the attacker can carry out an RCE attack:

- Filename is composed of the original file name using `$file->getClientOriginalName()`
- Files stored directly on your server in a public storage disk
- Webserver is configured to execute “.php” files

### PoC
In the following scenario, an attacker could upload a file called `shell.php` with an `image/png` MIME type and execute it on the remote server.
```php
class SomeComponent extends Component
{
use WithFileUploads;

#[Validate('image|extensions:png')]
public $file;

public function save()
{
$this->validate();

$this->file->storeAs(
path: 'images',
name: $this->file->getClientOriginalName(),
options: ['disk' => 'public'],
);
}
}
```