A vulnerability classified as critical was found in getgrav Grav up to 1.0.3. Affected is the function
sanitizeHttpUrl of the file /api/v1/auth/forgot-password of the component API Plugin. Executing a manipulation of the argument admin_base_url can lead to weak password recovery.
This vulnerability is handled as CVE-2026-61451. The attack can be executed remotely. There is not any exploit available.