PatchSiren cyber security CVE debrief
CVE-2026-61456 getgrav CVE debrief
The Grav API plugin (getgrav/grav-plugin-api) before 1.0.3 fails to sanitize SVG files uploaded through the POST /api/v1/media endpoint. The HandlesMediaUploads::processUploadedFile() method validates only the file extension and never invokes Security::sanitizeSVG(), so an authenticated attacker with the api.media.write permission can upload an SVG containing arbitrary JavaScript. The file is stored unmodified and served with Content-Type: image/svg+xml; when an administrator opens it in a browser (directly or via <object>/<iframe>), the embedded script executes in their session context, enabling cookie theft and session hijacking.
- Vendor
- getgrav
- Product
- grav
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Administrators and users of the Grav CMS with the API plugin installed, especially those allowing media uploads, should be aware of this vulnerability. This issue is particularly concerning for sites with multiple users or where administrators may view uploaded media, as it can lead to session hijacking and other malicious activities.
Technical summary
The vulnerability exists in the Grav API plugin's handling of SVG file uploads. Specifically, the plugin does not properly sanitize SVG files, which can contain JavaScript code. An attacker with the 'api.media.write' permission can upload a malicious SVG file. When an administrator views this file, the embedded JavaScript executes in their session, potentially leading to session hijacking or other malicious actions.
Defensive priority
Medium priority due to the requirement for authentication and specific permissions to exploit the vulnerability.
Recommended defensive actions
- Update the Grav API plugin to version 1.0.3 or later.
- Restrict the 'api.media.write' permission to trusted users.
- Implement additional security measures for handling and validating uploaded files.
- Monitor for suspicious media uploads and user activity.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-10T15:16:51.023Z and has not been modified since then. The NVD entry is currently Deferred. Evidence is limited to public CVE and NVD information. Defenders should verify the existence of affected product deployments in managed environments and review official advisories for validation of affected scope, severity, and vendor guidance.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T15:16:51.023Z and has not been modified since then. The NVD entry is currently Deferred.