File Upload Vulnerability in Grav Web Platform by Getgrav
CVE-2026-42844

8.7HIGH

Key Information:

Vendor: Getgrav
Status: Grav
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-42844?

In Grav 2.0.0-beta.2, a low-privileged authenticated API user can exploit the /api/v1/blueprint-upload endpoint to upload arbitrary YAML files into the user/accounts/ directory. This allows the attacker to create a new user account with api.super privileges, leading to a complete administrative compromise of the Grav API. This vulnerability has been addressed in API version 1.0.0-beta.17.

Affected Version(s)

grav 2.0.0-beta.2

References

https://github.com/getgrav/grav/security/advisories/GHSA-...

x_refsource_CONFIRM

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-42844 Data

JSON