<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Grav API Plugin (Getgrav/Grav-Plugin-Api) &lt; 1.0.3 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/grav-api-plugin-getgrav/grav-plugin-api--1.0.3/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 12:35:30 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/grav-api-plugin-getgrav/grav-plugin-api--1.0.3/feed.xml" rel="self" type="application/rss+xml"/><item><title>Grav API Plugin File Upload Extension Bypass Leading to RCE</title><link>https://feed.craftedsignal.io/briefs/2026-07-grav-api-rce-bypass/</link><pubDate>Wed, 15 Jul 2026 12:35:30 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-grav-api-rce-bypass/</guid><description>A vulnerability (CVE-2026-61457) in the Grav API plugin before version 1.0.3 allows an authenticated attacker with `api.media.write` permissions to bypass file upload extension validation using double extensions, which can lead to remote code execution on the web server.</description><content:encoded><![CDATA[<p>A high-severity vulnerability, CVE-2026-61457, has been identified in the Grav API plugin (getgrav/grav-plugin-api) versions prior to 1.0.3. This flaw specifically impacts the API media controller's file upload validation mechanism. An authenticated attacker possessing <code>api.media.write</code> permissions can exploit this vulnerability by submitting a malicious file with a double extension, such as <code>shell.php.jpg</code>. The <code>HandlesMediaUploads::validateFileExtension()</code> function, which relies solely on <code>pathinfo($filename, PATHINFO_EXTENSION)</code>, will incorrectly identify <code>.jpg</code> as the primary extension, thereby circumventing the blocklist for dangerous file types. This bypass allows the attacker to upload and subsequently execute arbitrary PHP code on the underlying web server, leading to full remote code execution. This vulnerability poses a significant risk to the integrity and confidentiality of affected Grav installations.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains authenticated access to a Grav instance, ideally with <code>api.media.write</code> permissions, either through compromised credentials or another initial access vector.</li>
<li>The attacker prepares a malicious PHP payload, such as a web shell (e.g., <code>shell.php</code>), designed to execute arbitrary commands.</li>
<li>To bypass file upload validation, the attacker renames the malicious PHP file with a double extension, for instance, <code>shell.php.jpg</code> or <code>malware.php.png</code>.</li>
<li>The attacker then initiates an HTTP POST request to the Grav API media controller endpoint, attempting to upload the specially crafted file (<code>shell.php.jpg</code>).</li>
<li>The vulnerable <code>HandlesMediaUploads::validateFileExtension()</code> function processes the file. Due to its reliance on <code>pathinfo($filename, PATHINFO_EXTENSION)</code>, it only inspects the final extension (<code>.jpg</code>), failing to detect the embedded <code>.php</code> extension.</li>
<li>The Grav API plugin allows the upload to proceed, storing the malicious <code>shell.php.jpg</code> file on the web server in an accessible directory.</li>
<li>The attacker directly accesses the uploaded file via a web browser or automated script, triggering its execution by the web server's PHP interpreter.</li>
<li>The malicious PHP code is executed on the server, granting the attacker remote code execution capabilities and potentially full control over the compromised system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-61457 can lead to complete compromise of the Grav web server. An attacker can achieve remote code execution, allowing them to install backdoors, deface websites, exfiltrate sensitive data, or establish persistence within the victim's network. While no specific victim counts or targeted sectors are available from the source, any organization using vulnerable versions of the Grav API plugin is at risk. The direct consequence is arbitrary command execution on the server, potentially leading to further network pivoting and broader system compromise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch CVE-2026-61457 by upgrading the Grav API plugin to version 1.0.3 or higher on all affected Grav installations.</li>
<li>Deploy the Sigma rule titled &quot;Detects CVE-2026-61457 Exploitation - Grav API Plugin Double Extension Upload&quot; to your SIEM solution and monitor for suspicious HTTP POST requests.</li>
<li>Ensure web server access logs are enabled and forwarded to your SIEM for analysis of <code>webserver</code> category events.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>web-vulnerability</category><category>remote-code-execution</category><category>extension-bypass</category><category>grav</category></item></channel></rss>