22 matches found
CVE-2026-62387
The Grav API plugin getgrav/grav-plugin-api before 1.0.0-rc.16 shipped Access-Control-Allow-Origin: as its default CORS configuration on all responses, including authenticated endpoints and preflight OPTIONS responses. Because the plugin accepts credentials via the Authorization and X-API-Token...
CVE-2026-62386
The Grav API plugin getgrav/grav-plugin-api before 1.0.0-rc.16 accepts JWT access tokens through the ?token= URL query parameter on every API route JwtAuthenticator::extractBearerToken fallback. Because tokens are embedded in URLs, they are logged verbatim in web server access logs, leaked via th...
CVE-2026-62387 Grav < 1.0.0-rc.16 CORS Misconfiguration via API Plugin
The Grav API plugin getgrav/grav-plugin-api before 1.0.0-rc.16 shipped Access-Control-Allow-Origin: as its default CORS configuration on all responses, including authenticated endpoints and preflight OPTIONS responses. Because the plugin accepts credentials via the Authorization and X-API-Token...
EUVD-2026-45086
The Grav API plugin getgrav/grav-plugin-api before 1.0.0-rc.16 accepts JWT access tokens through the ?token= URL query parameter on every API route JwtAuthenticator::extractBearerToken fallback. Because tokens are embedded in URLs, they are logged verbatim in web server access logs, leaked via th...
CVE-2026-61457
The Grav API plugin getgrav/grav-plugin-api before 1.0.3 contains a file upload extension bypass in the API media controller. HandlesMediaUploads::validateFileExtension inspects only the final file extension via pathinfo$filename, PATHINFOEXTENSION, so a user with api.media.write permission can...
CVE-2026-61452
The Grav API plugin getgrav/grav-plugin-api before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti JWT ID claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime...
CVE-2026-61451
The Grav API plugin grav-plugin-api before 1.0.4 does not validate the origin of the client-supplied adminbaseurl field in the POST /api/v1/auth/forgot-password endpoint. The sanitizeHttpUrl function only checks that the URL scheme is http/https and never verifies the host against the server's ow...
CVE-2026-61452 Grav before 2.0.4 Improper Session Invalidation JWT Access Tokens
The Grav API plugin getgrav/grav-plugin-api before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti JWT ID claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime...
CVE-2026-61451
CVE-2026-61451 affects Grav API plugin (grav-plugin-api)
CVE-2026-61456
The Grav API plugin getgrav/grav-plugin-api before 1.0.3 fails to sanitize SVG files uploaded through the POST /api/v1/media endpoint. The HandlesMediaUploads::processUploadedFile method validates only the file extension and never invokes Security::sanitizeSVG, so an authenticated attacker with t...
EUVD-2026-42905
The Grav API plugin getgrav/grav-plugin-api before 1.0.3 fails to sanitize SVG files uploaded through the POST /api/v1/media endpoint. The HandlesMediaUploads::processUploadedFile method validates only the file extension and never invokes Security::sanitizeSVG, so an authenticated attacker with t...
CVE-2026-58656
Grav API plugin before v1.0.0-rc.16 accepts JWT tokens via the ?token= URL query parameter and responds with Access-Control-Allow-Origin: , allowing unauthenticated attackers to make fully authenticated cross-origin API requests from any malicious website. Attackers who obtain a leaked JWT token...
CVE-2026-58654
The Grav API plugin getgrav/grav-plugin-api 1.0.0 contains an unrestricted file upload vulnerability in the avatar upload endpoint /api/v1/users/user/avatar. The endpoint validates only the client-declared MIME type getClientMediaType beginning with 'image/' and does not inspect the actual file...
CVE-2026-58656 Grav API Plugin - Cross-Origin Admin Account Takeover via CORS Wildcard and JWT Query Parameter
Grav API plugin before v1.0.0-rc.16 accepts JWT tokens via the ?token= URL query parameter and responds with Access-Control-Allow-Origin: , allowing unauthenticated attackers to make fully authenticated cross-origin API requests from any malicious website. Attackers who obtain a leaked JWT token...
CVE-2026-58656
Grav API plugin before v1.0.0-rc.16: accepts JWT tokens via the ?token= URL query parameter and replies with Access-Control-Allow-Origin: *, enabling unauthenticated cross-origin API requests. This can allow attackers who obtain a leaked JWT from logs/history to create persistent backdoor super-a...
EUVD-2026-42265
The Grav API plugin getgrav/grav-plugin-api 1.0.0 contains an unrestricted file upload vulnerability in the avatar upload endpoint /api/v1/users/user/avatar. The endpoint validates only the client-declared MIME type getClientMediaType beginning with 'image/' and does not inspect the actual file...
CVE-2026-42843
Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin UsersController::update allows any...
CVE-2026-42843
Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin UsersController::update allows any...
CVE-2026-42843 grav-plugin-api: Grav API Privilege Escalation to Super Admin
Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin UsersController::update allows any...
CVE-2026-42843
The CVE-2026-42843 entry concerns Grav API Plugin for Grav CMS. It describes an insecure direct object reference and logic flaw in UsersController::update that lets any authenticated API user with api.access modify their own permission configuration, potentially escalating to Super Administrator ...