Arbitrary File Upload Vulnerability in Grav API Plugin from GetGrav
CVE-2026-58654
5.3MEDIUM
What is CVE-2026-58654?
The Grav API plugin version 1.0.0 presents an arbitrary file upload vulnerability through its avatar upload endpoint. This flaw allows authenticated users to upload files without proper validation of their content, relying solely on the client-declared MIME type. As a result, attackers can upload malicious files, such as PHP scripts or SVGs with embedded JavaScript, which could lead to potential remote code execution or stored cross-site scripting (XSS) attacks. Although direct access to these uploaded files is restricted by .htaccess, they remain on the server and can pose a significant risk, especially in the case of server misconfigurations. The issue has been resolved in version 1.0.1.
Affected Version(s)
Grav 0 < 1.0.1
Grav 1.0.1
