Product
A critical vulnerability, CVE-2026-58656, in the Grav API plugin before v1.0.0-rc.16 allows unauthenticated attackers to perform fully authenticated cross-origin API requests by leveraging leaked JWT tokens via the `?token=` URL query parameter and the `Access-Control-Allow-Origin: *` response header, potentially leading to persistent backdoor super-admin accounts and sensitive data exfiltration.