CVE-2026-58654 in API Plugininfo

Summary

by MITRE • 07/08/2026

The Grav API plugin (getgrav/grav-plugin-api) 1.0.0 contains an unrestricted file upload vulnerability in the avatar upload endpoint (/api/v1/users/user/avatar). The endpoint validates only the client-declared MIME type (getClientMediaType) beginning with 'image/' and does not inspect the actual file content or restrict the resulting extension, allowing an authenticated user to store arbitrary content — including PHP code, SVG with embedded JavaScript, and polyglot payloads — under user/accounts/avatars/ with predictable filenames. Direct HTTP access to the stored files is blocked by .htaccess (returns 403), but the files persist on disk and could lead to remote code execution or stored XSS in the presence of a path traversal flaw or server misconfiguration. Fixed in 1.0.1.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

The Grav API plugin version 1.0.0 contains a critical unrestricted file upload vulnerability within its avatar upload endpoint at /api/v1/users/user/avatar that represents a significant security weakness in the authentication and file handling mechanisms. This flaw stems from inadequate validation procedures where the system only checks the client-declared MIME type through getClientMediaType function, specifically verifying if it begins with 'image/' without performing actual content inspection or extension restriction. The vulnerability affects authenticated users who can exploit this weakness to upload malicious files with arbitrary content including PHP scripts, SVG files containing embedded JavaScript code, and polyglot payloads that can bypass standard security measures. The uploaded files are stored in the user/accounts/avatars/ directory with predictable filenames, creating a systematic attack surface that adversaries can reliably target.

The technical implementation of this vulnerability allows for persistent storage of malicious content on the server filesystem despite the presence of .htaccess protection that blocks direct HTTP access to these files. This configuration creates a false sense of security since while the web server prevents direct execution through HTTP requests, the files remain accessible at the filesystem level and could potentially be exploited through path traversal vulnerabilities or server misconfigurations that might allow arbitrary file access. The persistence of these files on disk means they can serve as attack vectors for remote code execution when combined with other vulnerabilities or misconfigurations that allow file inclusion or execution. This represents a classic example of insecure file upload handling that violates fundamental security principles and creates opportunities for privilege escalation and persistent attacks.

The operational impact of this vulnerability extends beyond simple file storage concerns to potentially enable full system compromise through remote code execution capabilities, especially when combined with other vulnerabilities in the Grav CMS ecosystem. The predictable filename structure means attackers can reliably target specific avatar files without needing to guess or enumerate paths, significantly reducing attack complexity and increasing exploit reliability. This vulnerability also creates opportunities for stored cross-site scripting attacks when the avatar content is displayed within the application interface, particularly if proper sanitization and output encoding are not implemented. The fix in version 1.0.1 addresses this by implementing proper file validation mechanisms that check both file content and extension restrictions, preventing the storage of non-image files while maintaining legitimate user functionality.

This vulnerability aligns with CWE-434 which defines insecure file upload as a weakness where applications accept untrusted files without proper validation, allowing malicious content to be stored on the server. The issue also maps to ATT&CK technique T1505.003 for Server Software Component compromise through malicious file uploads, and potentially T1203 for Exploitation for Client Execution when combined with XSS vectors. Organizations using Grav CMS should prioritize immediate patching of this vulnerability and implement additional monitoring for suspicious file upload activities, particularly in user account management areas where similar patterns might exist. The incident highlights the critical importance of proper input validation and content inspection in web applications, especially when handling user-uploaded files that can bypass traditional security controls through simple MIME type manipulation or predictable path exploitation techniques.

Responsible

VulnCheck

Reservation

07/01/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!