Product
An unauthenticated attacker can exploit CVE-2026-61451 in Grav API plugin versions prior to 1.0.4, leveraging improper URL validation in the password reset functionality to specify an arbitrary host in the reset link, thereby disclosing valid reset tokens to an attacker-controlled server and enabling full account takeover.