HIGH
getgrav
CVE published 2026-07-08
CVE-2026-58656
The Grav API plugin before version 1.0.0-rc.16 has a security vulnerability that allows unauthenticated attackers to make fully authenticated cross-origin API requests. This is possible because the plugin accepts JWT tokens via the ?token= URL query parameter and responds with an Access-Control-Allow-Origin: * header. Attackers who obtain a leaked JWT token can create persistent backdoor super-admin accou [truncated]