Stats Digest Feeds
โ† Back to all CVEs

CVE-2026-62234

HIGH NVD
CVSS Score 8.1
Severity HIGH
Published Jul 17, 2026
Vendor unknown

Description

Grav before 2.0.4 fails to restrict cURL protocols in webhook dispatch, allowing authenticated users with api.webhooks.write permission to create webhooks with file://, dict://, or gopher:// URLs. Attackers can trigger webhook events to read local files, access process information, or pivot to internal services via unrestricted protocol handlers.

References