CVE-2026-61457: Unrestricted Upload of File with Dangerous Type in getgrav grav
The Grav API plugin (getgrav/grav-plugin-api) before 1.0.3 contains a file upload extension bypass in the API media controller. HandlesMediaUploads::validateFileExtension() inspects only the final file extension via pathinfo($filename, PATHINFO_EXTENSION), so a user with api.media.write permission can upload a file with a double extension such as shell.php.jpg to bypass the dangerous extensions blocklist. The web server may then execute the file as PHP, resulting in remote code execution.
AI Analysis
Technical Summary
The Grav API plugin (getgrav/grav-plugin-api) versions prior to 1.0.3 contain a file upload extension bypass vulnerability in the API media controller. The function HandlesMediaUploads::validateFileExtension() only checks the final file extension using pathinfo, which allows an attacker with api.media.write permission to upload files with double extensions that evade the dangerous extensions blocklist. If the web server processes the uploaded file as PHP, this can result in remote code execution.
Potential Impact
An attacker with api.media.write permission can upload malicious files with double extensions that bypass extension checks. This may lead to remote code execution on the affected system if the web server executes the uploaded file as PHP code. The vulnerability has a CVSS 4.0 base score of 5.3, indicating medium severity with network attack vector, low privileges required, and no user interaction needed.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict api.media.write permissions to trusted users only and consider additional server-side controls to prevent execution of uploaded files with suspicious extensions.
CVE-2026-61457: Unrestricted Upload of File with Dangerous Type in getgrav grav
Description
The Grav API plugin (getgrav/grav-plugin-api) before 1.0.3 contains a file upload extension bypass in the API media controller. HandlesMediaUploads::validateFileExtension() inspects only the final file extension via pathinfo($filename, PATHINFO_EXTENSION), so a user with api.media.write permission can upload a file with a double extension such as shell.php.jpg to bypass the dangerous extensions blocklist. The web server may then execute the file as PHP, resulting in remote code execution.
CVSS v4.0
Score 5.3medium
Affected software
pkg:github/getgrav/grav-plugin-apiRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Grav API plugin (getgrav/grav-plugin-api) versions prior to 1.0.3 contain a file upload extension bypass vulnerability in the API media controller. The function HandlesMediaUploads::validateFileExtension() only checks the final file extension using pathinfo, which allows an attacker with api.media.write permission to upload files with double extensions that evade the dangerous extensions blocklist. If the web server processes the uploaded file as PHP, this can result in remote code execution.
Potential Impact
An attacker with api.media.write permission can upload malicious files with double extensions that bypass extension checks. This may lead to remote code execution on the affected system if the web server executes the uploaded file as PHP code. The vulnerability has a CVSS 4.0 base score of 5.3, indicating medium severity with network attack vector, low privileges required, and no user interaction needed.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict api.media.write permissions to trusted users only and consider additional server-side controls to prevent execution of uploaded files with suspicious extensions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-07-09T14:07:55.624Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a57772068715ace43a93bd3
Added to database: 07/15/2026, 12:03:44 UTC
Last enriched: 07/15/2026, 12:18:30 UTC
Last updated: 07/15/2026, 16:48:29 UTC
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.