CVE-2026-42843 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: May 11, 2026
Grav API Plugin - Broken Access Control
Overview
Grav API Plugin < 1.0.0-beta.15 contains a broken access control vulnerability caused by insecure direct object reference and logic flaw in UsersController::update, letting authenticated users escalate privileges to Super Administrator, exploit requires authenticated API access.
Severity & Score
Impact
Authenticated users can escalate privileges to Super Administrator, leading to full system compromise and potential remote code execution.
Mitigation
Update to version 1.0.0-beta.15 or later.
Social Media Activity(2 posts)
š CVE-2026-42843 - High (8.8) Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API... š https://www.thehackerwire.com/vulnerability/CVE-2026-42843/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-42843 - High (8.8) Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API... š https://www.thehackerwire.com/vulnerability/CVE-2026-42843/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-42843
- Severity
- High
- CVSS Score
- 8.8
- Type
- broken_access_control
- Status
- new
- EPSS
- 3.9%
- Social Posts
- 2
CWE
- CWE-863
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H