Stored XSS Vulnerability in Grav API Plugin by Grav
CVE-2026-61456
What is CVE-2026-61456?
The Grav API plugin, prior to version 1.0.3, introduces a vulnerability that allows authenticated users with the api.media.write permission to upload SVG files through the /api/v1/media endpoint without proper sanitization. The HandlesMediaUploads::processUploadedFile() method only checks for file extensions and neglects to call Security::sanitizeSVG(). This oversight permits attackers to embed malicious JavaScript within SVG files. The uploaded files remain unaltered and are served with a Content-Type of image/svg+xml, leading to potential execution of the embedded script in an administrator's session when accessed via a browser. This can result in cookie theft and session hijacking, posing significant security risks for users.
Affected Version(s)
grav 0 < 1.0.3
grav 1.0.3
