Baikuya

**Name of the Vulnerable Software and Affected Versions** Grav version 1.8.0-beta.29 Login Plugin versions prior to 3.8.2 **Description** A missing server-side validation issue exists in the `Login::register()` function of the Login plugin. When user registration is enabled and the `groups` or `access` fields are included in the allowed fields configuration, an unauthenticated user can inject these variables into the registration request. Because the `Login::validateField()` function does not validate the `groups` and `access` parameters, an attacker can self-register with `admin.super` privileges. This privilege escalation can lead to full administrative panel access and potentially remote code execution (RCE). **Recommendations** Update Login Plugin to version 3.8.2 or later. As a temporary workaround, remove `groups` and `access` from the `user registration.fields` list in the configuration to prevent unauthenticated users from injecting privilege levels.