File Upload Extension Bypass in Grav API Plugin by Grav
CVE-2026-61457

5.3MEDIUM

Key Information:

Vendor

Getgrav

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-61457?

The Grav API plugin prior to version 1.0.3 has a critical flaw in its media upload handling. It allows attackers with the proper permissions to bypass file extension restrictions. By manipulating file names to include double extensions (e.g., 'shell.php.jpg'), malicious users can upload potentially dangerous files that may be executed by the web server, leading to unauthorized code execution and exploitation of the affected server.

Affected Version(s)

grav 0 < 1.0.3

grav 1.0.3

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

alienkeric
.