Arbitrary File Upload Vulnerability in Grav API Plugin from GetGrav
CVE-2026-58654

5.3MEDIUM

Key Information:

Vendor

Grav

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-58654?

The Grav API plugin version 1.0.0 presents an arbitrary file upload vulnerability through its avatar upload endpoint. This flaw allows authenticated users to upload files without proper validation of their content, relying solely on the client-declared MIME type. As a result, attackers can upload malicious files, such as PHP scripts or SVGs with embedded JavaScript, which could lead to potential remote code execution or stored cross-site scripting (XSS) attacks. Although direct access to these uploaded files is restricted by .htaccess, they remain on the server and can pose a significant risk, especially in the case of server misconfigurations. The issue has been resolved in version 1.0.1.

Affected Version(s)

Grav 0 < 1.0.1

Grav 1.0.1

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

nicl4ssic
.