PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-61456 getgrav CVE debrief

The Grav API plugin (getgrav/grav-plugin-api) before 1.0.3 fails to sanitize SVG files uploaded through the POST /api/v1/media endpoint. The HandlesMediaUploads::processUploadedFile() method validates only the file extension and never invokes Security::sanitizeSVG(), so an authenticated attacker with the api.media.write permission can upload an SVG containing arbitrary JavaScript. The file is stored unmodified and served with Content-Type: image/svg+xml; when an administrator opens it in a browser (directly or via <object>/<iframe>), the embedded script executes in their session context, enabling cookie theft and session hijacking.

Vendor
getgrav
Product
grav
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Administrators and users of the Grav CMS with the API plugin installed, especially those allowing media uploads, should be aware of this vulnerability. This issue is particularly concerning for sites with multiple users or where administrators may view uploaded media, as it can lead to session hijacking and other malicious activities.

Technical summary

The vulnerability exists in the Grav API plugin's handling of SVG file uploads. Specifically, the plugin does not properly sanitize SVG files, which can contain JavaScript code. An attacker with the 'api.media.write' permission can upload a malicious SVG file. When an administrator views this file, the embedded JavaScript executes in their session, potentially leading to session hijacking or other malicious actions.

Defensive priority

Medium priority due to the requirement for authentication and specific permissions to exploit the vulnerability.

Recommended defensive actions

  • Update the Grav API plugin to version 1.0.3 or later.
  • Restrict the 'api.media.write' permission to trusted users.
  • Implement additional security measures for handling and validating uploaded files.
  • Monitor for suspicious media uploads and user activity.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-10T15:16:51.023Z and has not been modified since then. The NVD entry is currently Deferred. Evidence is limited to public CVE and NVD information. Defenders should verify the existence of affected product deployments in managed environments and review official advisories for validation of affected scope, severity, and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T15:16:51.023Z and has not been modified since then. The NVD entry is currently Deferred.