PatchSiren

getgrav CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH getgrav CVE published 2026-07-08

CVE-2026-58656

The Grav API plugin before version 1.0.0-rc.16 has a security vulnerability that allows unauthenticated attackers to make fully authenticated cross-origin API requests. This is possible because the plugin accepts JWT tokens via the ?token= URL query parameter and responds with an Access-Control-Allow-Origin: * header. Attackers who obtain a leaked JWT token can create persistent backdoor super-admin accou [truncated]