A vulnerability identified as critical has been detected in Grav API Plugin up to 1.0.0. Affected by this issue is some unknown functionality of the file /api/v1/users/user/avatar of the component Avatar Upload Endpoint. This manipulation causes unrestricted upload.

This vulnerability is handled as CVE-2026-58654. The attack can be initiated remotely. There is not any exploit available.