2 matches found
CVE-2026-42844
Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges. This results in full...
CVE-2026-42844
Grav 2.0.0-beta.2 contains an authenticated API privilege-escalation in the blueprint-upload flow. A low-privileged API user (api.media.write) can write an arbitrary YAML file into user/accounts/ via /api/v1/blueprint-upload, then log in as the created account with api.super, resulting in full ad...