CVE•Published 2026-05-11•Modified 2026-05-27•1 article on news•6 live references•NVD data

CVE-2026-42843Getgrav · Grav-plugin-api

Vulnerability data via NVD (ingested)

CVSS v3.1

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS percentile

—

Weaknesses (CWE)

CWE-863Incorrect Authorization

Description

Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any authenticated user with basic API access (api.access) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (admin.super and api.super), leading to full system compromise and potential RCE. This vulnerability is fixed in 1.0.0-beta.15.

Timeline

Published 2026-05-11

Modified 2026-05-27

External references

NVD MITRE Exploit-DB GitHub PoC Sploitus VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts

vuln:CVE-2026-42843

Hosts Shodan has explicitly fingerprinted as vulnerable.

Shodan · product + version

product:"Getgrav Grav-plugin-api" version:"1.0.0"

Version-pinned fingerprint from NVD's first vulnerable CPE.

Shodan · banner/body mention

http.html:"Grav-plugin-api"

HTTP body or banner mentions "Grav-plugin-api" — catches deploys Shodan didn't identify as a product.

More intel sources (5)

Shodan report

vuln:CVE-2026-42843