CVE-2026-61456 in Grav
Summary
by MITRE • 07/10/2026
The Grav API plugin (getgrav/grav-plugin-api) before 1.0.3 fails to sanitize SVG files uploaded through the POST /api/v1/media endpoint. The HandlesMediaUploads::processUploadedFile() method validates only the file extension and never invokes Security::sanitizeSVG(), so an authenticated attacker with the api.media.write permission can upload an SVG containing arbitrary JavaScript. The file is stored unmodified and served with Content-Type: image/svg+xml; when an administrator opens it in a browser (directly or via <object>/<iframe>), the embedded script executes in their session context, enabling cookie theft and session hijacking.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
The vulnerability in the Grav API plugin affects versions prior to 1.0.3 and represents a critical security flaw in the media upload handling mechanism. This issue stems from inadequate input validation within the HandlesMediaUploads::processUploadedFile() method which only checks file extensions without implementing proper SVG sanitization. The flaw allows authenticated attackers who possess the api.media.write permission to bypass security controls by uploading malicious SVG files containing embedded JavaScript code. This represents a classic server-side vulnerability where client-side validation is insufficient and lacks proper content sanitization.
The technical implementation of this vulnerability demonstrates a failure in the principle of least privilege and input validation. The system validates only the file extension against a whitelist but fails to sanitize the actual content of SVG files, creating an attack surface where malicious code can be embedded within otherwise legitimate file types. According to CWE-20, this corresponds to improper input validation where the application does not properly validate or sanitize user-supplied data before processing it. The vulnerability specifically targets the media upload endpoint at POST /api/v1/media and affects the security posture through a lack of proper content sanitization routines.
The operational impact of this vulnerability is severe as it enables persistent cross-site scripting attacks that can compromise administrator sessions. When an administrator views the malicious SVG file directly or through the web interface, the embedded JavaScript executes within their browser session context, potentially leading to cookie theft, session hijacking, and complete administrative compromise. This attack vector aligns with ATT&CK technique T1566 which covers social engineering attacks including the use of malicious files. The vulnerability essentially transforms a legitimate media upload functionality into a weapon for executing arbitrary code in the context of privileged users.
The security implications extend beyond simple script execution to encompass full session compromise and potential lateral movement within the application. Attackers can leverage this vulnerability to steal administrative cookies, modify content, access sensitive data, or establish persistent backdoors through the compromised administrator session. The fact that the file is stored unmodified and served with the correct MIME type image/svg+xml makes detection more difficult as it appears legitimate to both the system and users. This vulnerability highlights the importance of implementing proper content sanitization for all user-uploaded files regardless of their apparent legitimacy, particularly when dealing with rich media formats like SVG that can contain executable code.
Mitigation strategies should include immediate patching to version 1.0.3 or later where Security::sanitizeSVG() is properly invoked during file processing. Organizations should also implement additional security controls such as content type validation, file size restrictions, and regular security scanning of uploaded files. The fix should ensure that all SVG uploads undergo proper sanitization regardless of their extension, implementing a robust SVG cleaning process that removes or neutralizes potentially dangerous elements like script tags, event handlers, and external references. Additionally, administrators should consider implementing web application firewalls to detect and block suspicious file upload patterns, and conduct regular security audits of plugin configurations to ensure proper permission controls are in place.