CVE-2026-61452
The Grav API plugin (getgrav/grav-plugin-api) up to version 2.0.3 has an improper session invalidation flaw: JWT access tokens are issued without a jti (JWT ID) claim and cannot be revoked server-side. Access tokens remain valid for their full lifetime (default 1 hour) regardless of logout, passw...