PatchSiren cyber security CVE debrief
CVE-2026-58654 Grav CVE debrief
The Grav API plugin 1.0.0 contains an unrestricted file upload vulnerability in the avatar upload endpoint (/api/v1/users/user/avatar). The endpoint validates only the client-declared MIME type (getClientMediaType) beginning with 'image/' and does not inspect the actual file content or restrict the resulting extension, allowing an authenticated user to store arbitrary content — including PHP code, SVG with embedded JavaScript, and polyglot payloads — under user/accounts/avatars/ with predictable filenames. Direct HTTP access to the stored files is blocked by .htaccess (returns 403), but the files persist on disk and could lead to remote code execution or stored XSS in the presence of a path traversal flaw or server misconfiguration.
- Vendor
- Grav
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-08
Who should care
Users of Grav API plugin 1.0.0 should be aware of this vulnerability and take immediate action to upgrade to version 1.0.1 or apply compensating controls. This vulnerability affects operators who use the Grav API plugin, particularly those responsible for platform security, vulnerability management, and incident response. Security teams should prioritize patching or mitigating this vulnerability to prevent potential remote code execution or stored XSS attacks.
Technical summary
The vulnerability exists in the avatar upload endpoint of the Grav API plugin 1.0.0. The endpoint does not properly validate the file type, allowing an authenticated user to upload arbitrary files, including PHP code, SVG with embedded JavaScript, and polyglot payloads. Although direct HTTP access to the stored files is blocked by .htaccess, the files remain on disk and could lead to remote code execution or stored XSS if a path traversal flaw or server misconfiguration exists.
Defensive priority
High
Recommended defensive actions
- Upgrade to Grav API plugin version 1.0.1 or later
- Restrict access to the avatar upload endpoint
- Implement additional security measures to prevent path traversal and server misconfiguration
- Monitor for suspicious activity and implement logging and auditing
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
Evidence notes
The CVE record was published on 2026-07-08T14:17:20.153Z and has not been modified since then. The NVD entry is currently Deferred. Evidence is limited to the CVE record and NVD entry, which describe the vulnerability but do not provide additional details on affected systems or exploitation. Defenders should verify the existence of Grav API plugin 1.0.0 deployments in their environments and review the official advisory for specific guidance on patching or mitigation.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T14:17:20.153Z and has not been modified since then. The NVD entry is currently Deferred.