Stored XSS Vulnerability in Grav API Plugin by Grav
CVE-2026-61456

5.1MEDIUM

Key Information:

Vendor

Getgrav

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-61456?

The Grav API plugin, prior to version 1.0.3, introduces a vulnerability that allows authenticated users with the api.media.write permission to upload SVG files through the /api/v1/media endpoint without proper sanitization. The HandlesMediaUploads::processUploadedFile() method only checks for file extensions and neglects to call Security::sanitizeSVG(). This oversight permits attackers to embed malicious JavaScript within SVG files. The uploaded files remain unaltered and are served with a Content-Type of image/svg+xml, leading to potential execution of the embedded script in an administrator's session when accessed via a browser. This can result in cookie theft and session hijacking, posing significant security risks for users.

Affected Version(s)

grav 0 < 1.0.3

grav 1.0.3

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

alienkeric
.