CVE-2026-58654
Deferred Deferred - Pending Action

Unrestricted File Upload in Grav API Plugin

Vulnerability report for CVE-2026-58654, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

The Grav API plugin (getgrav/grav-plugin-api) 1.0.0 contains an unrestricted file upload vulnerability in the avatar upload endpoint (/api/v1/users/user/avatar). The endpoint validates only the client-declared MIME type (getClientMediaType) beginning with 'image/' and does not inspect the actual file content or restrict the resulting extension, allowing an authenticated user to store arbitrary content β€” including PHP code, SVG with embedded JavaScript, and polyglot payloads β€” under user/accounts/avatars/ with predictable filenames. Direct HTTP access to the stored files is blocked by .htaccess (returns 403), but the files persist on disk and could lead to remote code execution or stored XSS in the presence of a path traversal flaw or server misconfiguration. Fixed in 1.0.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
getgrav grav-plugin-api to 1.0.1 (inc)
getgrav grav-plugin-api to 1.0.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows authenticated users to upload arbitrary files, including malicious code, which could lead to remote code execution or stored cross-site scripting (XSS) if combined with other server misconfigurations or path traversal flaws.

Such security weaknesses could potentially impact compliance with standards and regulations like GDPR or HIPAA, which require protection of data integrity and confidentiality, as well as secure handling of user data and prevention of unauthorized access or code execution.

However, the provided information does not explicitly discuss the direct impact on compliance with these standards.

Executive Summary

CVE-2026-58654 is an unrestricted file upload vulnerability in the Grav API plugin version 1.0.0, specifically in the avatar upload endpoint (/api/v1/users/user/avatar). The endpoint only validates the client-declared MIME type starting with 'image/' but does not verify the actual file content or restrict the file extension. This allows an authenticated user to upload arbitrary files, including malicious ones such as PHP code, SVG files with embedded JavaScript, or polyglot payloads.

These files are stored in the user/accounts/avatars/ directory with predictable filenames. Although direct HTTP access to these files is blocked by .htaccess rules (returning a 403 error), the files remain on disk and could be exploited if there is a path traversal vulnerability or server misconfiguration, potentially leading to remote code execution or stored cross-site scripting (XSS).

The vulnerability requires an authenticated user with any role that allows site login and has been fixed in version 1.0.1 of the plugin.

Impact Analysis

This vulnerability can impact you by allowing an authenticated user to upload malicious files to the server, which could lead to serious security issues.

  • Remote code execution if the server has a path traversal flaw or misconfiguration that allows execution of uploaded malicious files.
  • Stored cross-site scripting (XSS) attacks through malicious SVG files with embedded JavaScript.
  • Persistence of malicious files on disk and backups, increasing the risk of exploitation over time.

Overall, this can compromise system integrity and security, potentially allowing attackers to execute arbitrary code or scripts on the server.

Detection Guidance

This vulnerability can be detected by checking for the presence of unexpected or suspicious files in the user/accounts/avatars/ directory, especially files with extensions that do not match their actual content or files containing executable code such as PHP or SVG with embedded JavaScript.

Since the endpoint accepts files based only on the client-declared MIME type starting with 'image/', you can look for files that have image extensions but contain non-image content.

  • Use commands to list files in the avatars directory and inspect their content, for example:
  • 1. List files with details: `ls -l user/accounts/avatars/`
  • 2. Identify files with suspicious extensions or content: `file user/accounts/avatars/*`
  • 3. Search for PHP code or JavaScript inside files: `grep -rE "<\?php|<script" user/accounts/avatars/`
  • 4. Check web server logs for any unusual access attempts or errors related to the avatars directory.
Mitigation Strategies

The immediate mitigation step is to upgrade the Grav API plugin to version 1.0.1 or later, where this vulnerability has been fixed.

Additionally, restrict file uploads by validating the actual file content and not relying solely on the client-declared MIME type.

Ensure that the web server configuration properly blocks direct HTTP access to uploaded files, as is done with the .htaccess file returning 403 errors.

Review and clean the user/accounts/avatars/ directory to remove any suspicious or malicious files that may have been uploaded.

Monitor server logs for any suspicious activity related to file uploads or access attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58654. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart