Grav Plugin Api
Approved changes feed: RSS · Atom
cpe:2.3:a:getgrav:grav-plugin-api:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Getgrav (a335dd59-994b-520f-884a-04ce57f966e0) |
|---|---|
| Product | Grav Plugin Api (7342c720-9a98-5eb6-b44b-5cc5002a8bb6) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/getgrav/grav-plugin-api |
purl2cpe | 2026-06-01 10:15:21.236036 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-42843 |
vulnerable | 2026-06-08 08:03:16.813033 |
grav-plugin-api: Grav API Privilege Escalation to Super Admin
HIGH (8.8)
Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any authenticated user with basic API access (api.access) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (admin.super and api.super), leading to full system compromise and potential RCE. This vulnerability is fixed in 1.0.0-beta.15.
Published: 2026-05-11T15:54:33.485Z
Updated: 2026-05-11T19:06:51.035Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.