{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/extension-bypass/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-61457"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Grav API plugin (getgrav/grav-plugin-api) \u003c 1.0.3"],"_cs_severities":["high"],"_cs_tags":["web-vulnerability","remote-code-execution","extension-bypass","grav"],"_cs_type":"advisory","_cs_vendors":["Grav"],"content_html":"\u003cp\u003eA high-severity vulnerability, CVE-2026-61457, has been identified in the Grav API plugin (getgrav/grav-plugin-api) versions prior to 1.0.3. This flaw specifically impacts the API media controller's file upload validation mechanism. An authenticated attacker possessing \u003ccode\u003eapi.media.write\u003c/code\u003e permissions can exploit this vulnerability by submitting a malicious file with a double extension, such as \u003ccode\u003eshell.php.jpg\u003c/code\u003e. The \u003ccode\u003eHandlesMediaUploads::validateFileExtension()\u003c/code\u003e function, which relies solely on \u003ccode\u003epathinfo($filename, PATHINFO_EXTENSION)\u003c/code\u003e, will incorrectly identify \u003ccode\u003e.jpg\u003c/code\u003e as the primary extension, thereby circumventing the blocklist for dangerous file types. This bypass allows the attacker to upload and subsequently execute arbitrary PHP code on the underlying web server, leading to full remote code execution. This vulnerability poses a significant risk to the integrity and confidentiality of affected Grav installations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to a Grav instance, ideally with \u003ccode\u003eapi.media.write\u003c/code\u003e permissions, either through compromised credentials or another initial access vector.\u003c/li\u003e\n\u003cli\u003eThe attacker prepares a malicious PHP payload, such as a web shell (e.g., \u003ccode\u003eshell.php\u003c/code\u003e), designed to execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eTo bypass file upload validation, the attacker renames the malicious PHP file with a double extension, for instance, \u003ccode\u003eshell.php.jpg\u003c/code\u003e or \u003ccode\u003emalware.php.png\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker then initiates an HTTP POST request to the Grav API media controller endpoint, attempting to upload the specially crafted file (\u003ccode\u003eshell.php.jpg\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eHandlesMediaUploads::validateFileExtension()\u003c/code\u003e function processes the file. Due to its reliance on \u003ccode\u003epathinfo($filename, PATHINFO_EXTENSION)\u003c/code\u003e, it only inspects the final extension (\u003ccode\u003e.jpg\u003c/code\u003e), failing to detect the embedded \u003ccode\u003e.php\u003c/code\u003e extension.\u003c/li\u003e\n\u003cli\u003eThe Grav API plugin allows the upload to proceed, storing the malicious \u003ccode\u003eshell.php.jpg\u003c/code\u003e file on the web server in an accessible directory.\u003c/li\u003e\n\u003cli\u003eThe attacker directly accesses the uploaded file via a web browser or automated script, triggering its execution by the web server's PHP interpreter.\u003c/li\u003e\n\u003cli\u003eThe malicious PHP code is executed on the server, granting the attacker remote code execution capabilities and potentially full control over the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-61457 can lead to complete compromise of the Grav web server. An attacker can achieve remote code execution, allowing them to install backdoors, deface websites, exfiltrate sensitive data, or establish persistence within the victim's network. While no specific victim counts or targeted sectors are available from the source, any organization using vulnerable versions of the Grav API plugin is at risk. The direct consequence is arbitrary command execution on the server, potentially leading to further network pivoting and broader system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch CVE-2026-61457 by upgrading the Grav API plugin to version 1.0.3 or higher on all affected Grav installations.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule titled \u0026quot;Detects CVE-2026-61457 Exploitation - Grav API Plugin Double Extension Upload\u0026quot; to your SIEM solution and monitor for suspicious HTTP POST requests.\u003c/li\u003e\n\u003cli\u003eEnsure web server access logs are enabled and forwarded to your SIEM for analysis of \u003ccode\u003ewebserver\u003c/code\u003e category events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T12:35:30Z","date_published":"2026-07-15T12:35:30Z","id":"https://feed.craftedsignal.io/briefs/2026-07-grav-api-rce-bypass/","summary":"A vulnerability (CVE-2026-61457) in the Grav API plugin before version 1.0.3 allows an authenticated attacker with `api.media.write` permissions to bypass file upload extension validation using double extensions, which can lead to remote code execution on the web server.","title":"Grav API Plugin File Upload Extension Bypass Leading to RCE","url":"https://feed.craftedsignal.io/briefs/2026-07-grav-api-rce-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Extension-Bypass","version":"https://jsonfeed.org/version/1.1"}