CVE-2026-42843HIGH 8.8EPSS p26.7%

CVE-2026-42843CVE-2026-42843

Description

Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any authenticated user with basic API access (api.access) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (admin.super and api.super), leading to full system compromise and potential RCE. This vulnerability is fixed in 1.0.0-beta.15.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.35% probability of exploitation · percentile 26.7% · 2026-06-21T12:00:28Z
Published2026-05-11
Last modified2026-05-13

Underlying weaknesses· 1

CWE-863

References

  1. https://github.com/getgrav/grav/security/advisories/GHSA-r945-h4vm-h736
  2. https://github.com/getgrav/grav/security/advisories/GHSA-r945-h4vm-h736

1

TypeTargetConfidenceTier
WeaknessIncorrect Authorizationcwe-8630%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-42844
CVE
CVE-2026-42613
CVE
CVE-2026-42609
CVE
CVE-2025-66296
CVE
CVE-2026-42607
CVE
CVE-2026-42611
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.