9.4
CVE-2026-42613
- EPSS 0.94%
- Veröffentlicht 11.05.2026 16:17:34
- Zuletzt bearbeitet 12.05.2026 14:51:21
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Grav: Privilege Escalation via Missing Server-Side Validation of groups/access
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, the Login::register() method in the Login plugin accepts attacker-controlled groups and access fields from the registration POST data without server-side validation. When registration is enabled and groups or access are included in the configured allowed fields list, an unauthenticated user can self-register with admin.super privileges by injecting these fields into the registration request. This vulnerability is fixed in 2.0.0-beta.2.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellergetgrav
≫
Produkt
grav
Version
< 2.0.0-beta.2
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.94% | 0.562 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 9.4 | 3.9 | 5.5 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
https://github.com/getgrav/grav/security/advisories/GHSA-w48r-jppp-rcfw
https://github.com/getgrav/grav-plugin-login/commit/3d419a0dabd70aed1fd49afcd5919004a4141da1
https://github.com/getgrav/grav/security/advisories/GHSA-pxm6-mhxr-q4mj