CVE-2026-61451 - Grav before 1.0.4 Password Reset Token Poisoning via admin_base_url
CVE ID :CVE-2026-61451 Published : July 15, 2026, 12:18 p.m. | 16 minutes ago Description :The Grav API plugin (grav-plugin-api) before 1.0.4 does not validate the origin of the client-supplied admin_base_url field in the POST /api/v1/auth/forgot-password endpoint. The sanitizeHttpUrl()...