CVE-2026-62234
HIGH
NVD
CVSS Score
8.1
Severity
HIGH
Published
Jul 17, 2026
Vendor
unknown
Description
Grav before 2.0.4 fails to restrict cURL protocols in webhook dispatch, allowing authenticated users with api.webhooks.write permission to create webhooks with file://, dict://, or gopher:// URLs. Attackers can trigger webhook events to read local files, access process information, or pivot to internal services via unrestricted protocol handlers.