SCA: security update for getgrav/grav (GHSA-pxm6-mhxr-q4mj)

critical Tenable Self-Hosted Container Security Plugin ID 441214

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Grav is a file-based Web platform. Prior to 2.0.0-beta.2, the Login::register() method in the Login plugin
accepts attacker-controlled groups and access fields from the registration POST data without server-side
validation. When registration is enabled and groups or access are included in the configured allowed
fields list, an unauthenticated user can self-register with admin.super privileges by injecting these
fields into the registration request. This vulnerability is fixed in 2.0.0-beta.2. (CVE-2026-42613)

Solution

Update the getgrav/grav library and its related packages to version 2.0.0-beta.2 or later.

See Also

https://github.com/advisories/GHSA-pxm6-mhxr-q4mj

Plugin Details

Severity: Critical

ID: 441214

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 5/6/2026

Updated: 5/12/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.5

Percentile: 57.51

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9.7

Temporal Score: 7.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:P

CVSS Score Source: CVE-2026-42613

CVSS v3

Risk Factor: Critical

Base Score: 9.4

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/5/2026

Vulnerability Publication Date: 5/5/2026

Reference Information

CVE: CVE-2026-42613

cwe: CWE-20