CVE-2026-42843

Exploit

EPSS 0.35%
Veröffentlicht 11.05.2026 17:16:34
Zuletzt bearbeitet 27.05.2026 19:07:10
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

grav-plugin-api: Grav API Privilege Escalation to Super Admin

Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any authenticated user with basic API access (api.access) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (admin.super and api.super), leading to full system compromise and potential RCE. This vulnerability is fixed in 1.0.0-beta.15.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 14 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Getgrav ≫ Grav-plugin-api Version1.0.0 Updatebeta1

Getgrav ≫ Grav-plugin-api Version1.0.0 Updatebeta10

Getgrav ≫ Grav-plugin-api Version1.0.0 Updatebeta11

Getgrav ≫ Grav-plugin-api Version1.0.0 Updatebeta12

Getgrav ≫ Grav-plugin-api Version1.0.0 Updatebeta13

Getgrav ≫ Grav-plugin-api Version1.0.0 Updatebeta14

Getgrav ≫ Grav-plugin-api Version1.0.0 Updatebeta2

Getgrav ≫ Grav-plugin-api Version1.0.0 Updatebeta3

Getgrav ≫ Grav-plugin-api Version1.0.0 Updatebeta4

Getgrav ≫ Grav-plugin-api Version1.0.0 Updatebeta5

Getgrav ≫ Grav-plugin-api Version1.0.0 Updatebeta6

Getgrav ≫ Grav-plugin-api Version1.0.0 Updatebeta7

Getgrav ≫ Grav-plugin-api Version1.0.0 Updatebeta8

Getgrav ≫ Grav-plugin-api Version1.0.0 Updatebeta9

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.35%	0.267

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/getgrav/grav/security/advisories/GHSA-r945-h4vm-h736

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-42843

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-42843

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-42843

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-42843