CVE-2026-61456
Received Received - Intake

SVG File Upload Leading to Stored XSS in Grav API Plugin

Vulnerability report for CVE-2026-61456, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

The Grav API plugin (getgrav/grav-plugin-api) before 1.0.3 fails to sanitize SVG files uploaded through the POST /api/v1/media endpoint. The HandlesMediaUploads::processUploadedFile() method validates only the file extension and never invokes Security::sanitizeSVG(), so an authenticated attacker with the api.media.write permission can upload an SVG containing arbitrary JavaScript. The file is stored unmodified and served with Content-Type: image/svg+xml; when an administrator opens it in a browser (directly or via <object>/<iframe>), the embedded script executes in their session context, enabling cookie theft and session hijacking.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
getgrav grav_plugin_api to 1.0.3 (exc)
getgrav grav to 1.0.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

The primary mitigation is to upgrade the Grav API plugin to version 1.0.3 or later, where the vulnerability is patched by properly sanitizing SVG uploads.

Until the upgrade can be applied, restrict or disable the api.media.write permission to prevent unauthorized SVG uploads.

Additionally, avoid opening or rendering uploaded SVG files in browsers, especially by administrators, to prevent execution of embedded scripts.

Implement monitoring to detect and remove any malicious SVG files already uploaded.

Compliance Impact

This vulnerability allows an attacker to execute arbitrary JavaScript in the context of an administrator's session, potentially leading to cookie theft and session hijacking.

Such unauthorized access and data exposure could result in violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, the vulnerability poses a risk to compliance with these standards by enabling attackers to compromise session security and potentially access protected data.

Executive Summary

CVE-2026-61456 is a stored Cross-Site Scripting (XSS) vulnerability in the Grav CMS API plugin before version 1.0.3. The issue arises because the plugin fails to sanitize SVG files uploaded through the POST /api/v1/media endpoint. Specifically, the method that processes uploaded files only validates the file extension and does not invoke the SVG sanitization function, allowing an attacker with the api.media.write permission to upload SVG files containing arbitrary JavaScript.

These malicious SVG files are stored unmodified and served with the MIME type image/svg+xml. When an administrator or user with a valid session views the SVG file directly or embedded via HTML elements like <object> or <iframe>, the embedded JavaScript executes in their browser session.

This execution can lead to session hijacking, cookie theft, or other malicious actions within the context of the administrator's session.

Impact Analysis

This vulnerability can impact you by allowing an authenticated attacker with the api.media.write permission to upload malicious SVG files containing JavaScript. When an administrator or authorized user views these files, the embedded scripts execute in their browser session.

  • Session hijacking – attackers can take over the administrator's session.
  • Cookie theft – attackers can steal session cookies or other sensitive data.
  • Potential unauthorized actions performed in the context of the administrator's session.

Overall, this can lead to compromise of administrative control and unauthorized access to the Grav CMS environment.

Detection Guidance

Detection of this vulnerability involves identifying SVG files uploaded through the POST /api/v1/media endpoint that contain embedded JavaScript. Since the vulnerability arises from unsanitized SVG uploads by authenticated users with api.media.write permission, monitoring such uploads is key.

You can detect potentially malicious SVG files by inspecting uploaded SVG content for embedded <script> tags or JavaScript event handlers.

  • Use network monitoring or web server logs to identify POST requests to /api/v1/media.
  • Extract and analyze SVG files stored on the server for suspicious JavaScript content. For example, use grep or similar tools to search for <script> tags inside SVG files: grep -r '<script' /path/to/uploaded/svg/files
  • Check for files served with Content-Type: image/svg+xml that contain JavaScript code.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-61456. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart