Tag
A vulnerability (CVE-2026-61457) in the Grav API plugin before version 1.0.3 allows an authenticated attacker with `api.media.write` permissions to bypass file upload extension validation using double extensions, which can lead to remote code execution on the web server.