49 matches found
CVE-2026-62236
grav-plugin-login before 3.8.11 contains a cross-site request forgery CSRF vulnerability in the login.regenerate2FASecret frontend task, which regenerates and persists a new TOTP secret for the authenticated session user without any anti-CSRF nonce or Origin/Referer check. Because Grav core...
CVE-2026-62233
grav-plugin-api before 1.0.6 fails to validate super-admin status in createApiKey, generate2fa, and disable2fa endpoints, allowing non-super api.users.write managers to escalate to super-admin. Attackers can mint API keys bound to super-admin accounts or strip 2FA from super-admin users to achiev...
CVE-2026-62231
The Grav API plugin getgrav/grav-plugin-api before 1.0.6 contains an authorization bypass: API keys can be created with a restricted scopes array, but the ApiKeyAuthenticator class never reads or enforces these scopes. It loads and returns the owning user's full account object, so a key created...
EUVD-2026-45087
The Grav API plugin getgrav/grav-plugin-api before 1.0.0-rc.16 shipped Access-Control-Allow-Origin: as its default CORS configuration on all responses, including authenticated endpoints and preflight OPTIONS responses. Because the plugin accepts credentials via the Authorization and X-API-Token...
CVE-2026-62236 grav-plugin-login < 3.8.11 CSRF via regenerate2FASecret
grav-plugin-login before 3.8.11 contains a cross-site request forgery CSRF vulnerability in the login.regenerate2FASecret frontend task, which regenerates and persists a new TOTP secret for the authenticated session user without any anti-CSRF nonce or Origin/Referer check. Because Grav core...
CVE-2026-62236
grav-plugin-login before 3.8.11 contains a CSRF in the login.regenerate2FASecret frontend task, which regenerates and persists a new TOTP secret for the authenticated user without anti-CSRF nonce or Origin/Referer checks. Grav core dispatches the task via a top-level GET using the task: URI param...
EUVD-2026-45082
grav-plugin-login before 3.8.11 contains a cross-site request forgery CSRF vulnerability in the login.regenerate2FASecret frontend task, which regenerates and persists a new TOTP secret for the authenticated session user without any anti-CSRF nonce or Origin/Referer check. Because Grav core...
CVE-2026-62233 grav-plugin-api < 1.0.6 Privilege Escalation via createApiKey
grav-plugin-api before 1.0.6 fails to validate super-admin status in createApiKey, generate2fa, and disable2fa endpoints, allowing non-super api.users.write managers to escalate to super-admin. Attackers can mint API keys bound to super-admin accounts or strip 2FA from super-admin users to achiev...
CVE-2026-62233
CVE-2026-62233 affects grav-plugin-api prior to 1.0.6. The issue: createApiKey, generate2fa, and disable2fa endpoints fail to validate super-admin status, allowing non-super api.users.write managers to escalate to super-admin. As described, attackers can mint API keys bound to super-admin account...
EUVD-2026-45121
grav-plugin-api before 1.0.6 fails to validate super-admin status in createApiKey, generate2fa, and disable2fa endpoints, allowing non-super api.users.write managers to escalate to super-admin. Attackers can mint API keys bound to super-admin accounts or strip 2FA from super-admin users to achiev...
EUVD-2026-45119
The Grav API plugin getgrav/grav-plugin-api before 1.0.6 contains an authorization bypass: API keys can be created with a restricted scopes array, but the ApiKeyAuthenticator class never reads or enforces these scopes. It loads and returns the owning user's full account object, so a key created...
CVE-2026-62231
The Grav API plugin (getgrav/grav-plugin-api) prior to version 1.0.6 has an authorization bypass in ApiKeyAuthenticator: API keys with restricted scopes are ignored, and the API key resolves to the owning user’s full account, allowing a key with limited scopes (e.g., read-only) to perform any ope...
EUVD-2026-44651
The Grav API plugin getgrav/grav-plugin-api before 1.0.3 contains a file upload extension bypass in the API media controller. HandlesMediaUploads::validateFileExtension inspects only the final file extension via pathinfo$filename, PATHINFOEXTENSION, so a user with api.media.write permission can...
CVE-2026-61457 Grav before 1.0.3 Remote Code Execution via File Upload Extension Bypass
The Grav API plugin getgrav/grav-plugin-api before 1.0.3 contains a file upload extension bypass in the API media controller. HandlesMediaUploads::validateFileExtension inspects only the final file extension via pathinfo$filename, PATHINFOEXTENSION, so a user with api.media.write permission can...
CVE-2026-61457
CVE-2026-61457 : The Grav API plugin (getgrav/grav-plugin-api) before 1.0.3 is vulnerable to a file upload extension bypass in the API media controller. The validation in HandlesMediaUploads::validateFileExtension() only checks the final extension via pathinfo($filename, PATHINFO_EXTENSION); a us...
CVE-2026-61457 Grav before 1.0.3 Remote Code Execution via File Upload Extension Bypass
The Grav API plugin getgrav/grav-plugin-api before 1.0.3 contains a file upload extension bypass in the API media controller. HandlesMediaUploads::validateFileExtension inspects only the final file extension via pathinfo$filename, PATHINFOEXTENSION, so a user with api.media.write permission can...
CVE-2026-61452 Grav before 2.0.4 Improper Session Invalidation JWT Access Tokens
The Grav API plugin getgrav/grav-plugin-api before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti JWT ID claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime...
EUVD-2026-44648
The Grav API plugin grav-plugin-api before 1.0.4 does not validate the origin of the client-supplied adminbaseurl field in the POST /api/v1/auth/forgot-password endpoint. The sanitizeHttpUrl function only checks that the URL scheme is http/https and never verifies the host against the server's ow...
CVE-2026-61451 Grav before 1.0.4 Password Reset Token Poisoning via admin_base_url
The Grav API plugin grav-plugin-api before 1.0.4 does not validate the origin of the client-supplied adminbaseurl field in the POST /api/v1/auth/forgot-password endpoint. The sanitizeHttpUrl function only checks that the URL scheme is http/https and never verifies the host against the server's ow...
PT-2026-60145
Name of the Vulnerable Software and Affected Versions grav-plugin-api versions prior to 1.0.4 Description An unauthenticated attacker can cause a password reset email to contain a link pointing to a server under their control. This occurs because the sanitizeHttpUrl function fails to verify the...