CVE-2026-61457
Received Received - Intake

File Upload Extension Bypass in Grav API Plugin

Vulnerability report for CVE-2026-61457, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: VulnCheck

Description

The Grav API plugin (getgrav/grav-plugin-api) before 1.0.3 contains a file upload extension bypass in the API media controller. HandlesMediaUploads::validateFileExtension() inspects only the final file extension via pathinfo($filename, PATHINFO_EXTENSION), so a user with api.media.write permission can upload a file with a double extension such as shell.php.jpg to bypass the dangerous extensions blocklist. The web server may then execute the file as PHP, resulting in remote code execution.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
getgrav grav_plugin_api to 1.0.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a file upload extension bypass in the Grav CMS API Media Controller. It allows authenticated users with the api.media.write permission to upload files with double extensions like shell.php.jpg. The system only checks the final extension (.jpg) and misses the hidden .php part. The web server may execute the file as PHP, leading to remote code execution.

Impact Analysis

An attacker could upload a malicious PHP file disguised as an image. If the server executes PHP files within images, it could lead to remote code execution on the server. Even if PHP execution is blocked, the source code may be exposed, revealing sensitive information.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, violating GDPR and HIPAA requirements for data protection and confidentiality. A successful exploit may expose personal or health information, resulting in legal and regulatory penalties.

Detection Guidance
  • Check Grav CMS versions: Run `composer show getgrav/grav-plugin-api` to verify if the installed version is below 1.0.3.
  • Inspect uploaded files: Look for files with double extensions like .php.jpg or similar patterns in media directories.
  • Review API media controller logs: Check server logs for unauthorized file upload attempts to the API media endpoint.
  • Validate file extensions: Use commands like `find /path/to/media -type f -name '*.php.*' -o -name '*.phtml.*'` to detect suspicious files.
Mitigation Strategies
  • Upgrade the Grav API plugin: Update to version 1.0.3 or later using `composer update getgrav/grav-plugin-api`.
  • Disable dangerous extensions: Ensure the blocklist includes all executable extensions like .php, .phtml, .phar, etc.
  • Validate full filenames: Modify the extension validation logic to check all parts of the filename, not just the last extension.
  • Restrict api.media.write permission: Limit this permission to trusted users only.
  • Scan for malicious files: Use tools like `clamav` or `rkhunter` to scan media directories for suspicious files.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-61457. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart