CVE-2026-61457
Gravedad CVSS v4.0:
MEDIA
Tipo:
CWE-434
Subida sin restricciones de ficheros de tipos peligrosos
Fecha de publicación:
15/07/2026
Última modificación:
15/07/2026
Descripción
*** Pendiente de traducción *** The Grav API plugin (getgrav/grav-plugin-api) before 1.0.3 contains a file upload extension bypass in the API media controller. HandlesMediaUploads::validateFileExtension() inspects only the final file extension via pathinfo($filename, PATHINFO_EXTENSION), so a user with api.media.write permission can upload a file with a double extension such as shell.php.jpg to bypass the dangerous extensions blocklist. The web server may then execute the file as PHP, resulting in remote code execution.
Impacto
Puntuación base 4.0
5.30
Gravedad 4.0
MEDIA
Puntuación base 3.x
8.80
Gravedad 3.x
ALTA



