Packagist (Composer) package
getgrav/grav
pkg:composer/getgrav/grav
Vulnerabilities (64)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42844 | Hig | 8.8 | < 2.0.0-beta.4 | 2.0.0-beta.4 | May 12, 2026 | Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges. This r | |
| CVE-2026-44738 | Hig | 7.7 | < 2.0.0-rc.2 | 2.0.0-rc.2 | May 11, 2026 | Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray() from within a page body, dumping the entire merged site configuration — including all plugin secrets (SMTP passwords, AWS keys, | |
| CVE-2026-44737 | Med | — | < 1.7.49.5 | 1.7.49.5 | May 11, 2026 | grav-plugin-admin is the admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.10.49.5, the application fails to properly validate and sanitize user input in the data[header][title] paramete | |
| CVE-2026-42842 | Med | 5.4 | < 2.0.0-beta.2 | 2.0.0-beta.2 | May 11, 2026 | The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin pa | |
| CVE-2026-42841 | Med | 4.8 | < 2.0.0-beta.2 | 2.0.0-beta.2 | May 11, 2026 | Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image qu | |
| CVE-2026-42613 | Cri | 9.4 | < 2.0.0-beta.2 | 2.0.0-beta.2 | May 11, 2026 | Grav is a file-based Web platform. Prior to 2.0.0-beta.2, the Login::register() method in the Login plugin accepts attacker-controlled groups and access fields from the registration POST data without server-side validation. When registration is enabled and groups or access are in | |
| CVE-2026-42612 | Hig | 8.5 | < 2.0.0-beta.2 | 2.0.0-beta.2 | May 11, 2026 | Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a stored Cross-Site Scripting (XSS) vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss() function when handling unquoted | |
| CVE-2026-42611 | Hig | 8.9 | < 2.0.0-beta.2 | 2.0.0-beta.2 | May 11, 2026 | Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever | |
| CVE-2026-42610 | Med | 6.5 | < 2.0.0-beta.2 | 2.0.0-beta.2 | May 11, 2026 | Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the grav['accounts'] service. Attacker can programmatically load administrative u | |
| CVE-2026-42609 | Hig | 8.1 | < 2.0.0-beta.2 | 2.0.0-beta.2 | May 11, 2026 | Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a u | |
| CVE-2026-42608 | Cri | 9.1 | < 2.0.0-beta.2 | 2.0.0-beta.2 | May 11, 2026 | Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POST requests), an unauthenticated attacker can traverse the filesystem to create ar | |
| CVE-2026-42607 | Cri | 9.1 | < 2.0.0-beta.2 | 2.0.0-beta.2 | May 11, 2026 | Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the "Direct Install" tool. While the system attempts to block direct .php file | |
| CVE-2026-7317 | Med | 5.0 | < 2.0.0-beta.2 | 2.0.0-beta.2 | Apr 28, 2026 | A vulnerability was found in Grav CMS up to 1.7.49.5/2.0.0-beta.1. Affected by this vulnerability is the function FileCache::doGet of the file system/src/Grav/Framework/Cache/Adapter/FileCache.php of the component Cache Value Handler. The manipulation results in deserialization. | |
| CVE-2025-66844 | — | <= 1.7.49.5 | — | Dec 15, 2025 | In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig and the configuration allows undefined PHP functions to be registered | ||
| CVE-2025-66843 | — | <= 1.7.49.5 | — | Dec 15, 2025 | grav before v1.7.49.5 has a Stored Cross-Site Scripting (Stored XSS) vulnerability in the page editing functionality. An authenticated low-privileged user with permission to edit content can inject malicious JavaScript payloads into editable fields. The payload is stored on the s | ||
| CVE-2025-65186 | — | <= 1.7.49 | — | Dec 2, 2025 | Grav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize tags, allowing stored XSS payloads to execute when pages are viewed in the admin inte | ||
| CVE-2025-66312 | — | < 1.8.0-beta.27 | 1.8.0-beta.27 | Dec 1, 2025 | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/accounts/groups/Grupo endpoint of the G | ||
| CVE-2025-66311 | — | < 1.11.0-beta.1 | 1.11.0-beta.1 | Dec 1, 2025 | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav appli | ||
| CVE-2025-66310 | — | < 1.8.0-beta.27 | 1.8.0-beta.27 | Dec 1, 2025 | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav appli | ||
| CVE-2025-66309 | — | < 1.8.0-beta.27 | 1.8.0-beta.27 | Dec 1, 2025 | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav ap |
- affected < 2.0.0-beta.4fixed 2.0.0-beta.4
Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges. This r
- affected < 2.0.0-rc.2fixed 2.0.0-rc.2
Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray() from within a page body, dumping the entire merged site configuration — including all plugin secrets (SMTP passwords, AWS keys,
- affected < 1.7.49.5fixed 1.7.49.5
grav-plugin-admin is the admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.10.49.5, the application fails to properly validate and sanitize user input in the data[header][title] paramete
- affected < 2.0.0-beta.2fixed 2.0.0-beta.2
The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin pa
- affected < 2.0.0-beta.2fixed 2.0.0-beta.2
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image qu
- affected < 2.0.0-beta.2fixed 2.0.0-beta.2
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, the Login::register() method in the Login plugin accepts attacker-controlled groups and access fields from the registration POST data without server-side validation. When registration is enabled and groups or access are in
- affected < 2.0.0-beta.2fixed 2.0.0-beta.2
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a stored Cross-Site Scripting (XSS) vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss() function when handling unquoted
- affected < 2.0.0-beta.2fixed 2.0.0-beta.2
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever
- affected < 2.0.0-beta.2fixed 2.0.0-beta.2
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the grav['accounts'] service. Attacker can programmatically load administrative u
- affected < 2.0.0-beta.2fixed 2.0.0-beta.2
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a u
- affected < 2.0.0-beta.2fixed 2.0.0-beta.2
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POST requests), an unauthenticated attacker can traverse the filesystem to create ar
- affected < 2.0.0-beta.2fixed 2.0.0-beta.2
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the "Direct Install" tool. While the system attempts to block direct .php file
- affected < 2.0.0-beta.2fixed 2.0.0-beta.2
A vulnerability was found in Grav CMS up to 1.7.49.5/2.0.0-beta.1. Affected by this vulnerability is the function FileCache::doGet of the file system/src/Grav/Framework/Cache/Adapter/FileCache.php of the component Cache Value Handler. The manipulation results in deserialization.
- CVE-2025-66844Dec 15, 2025affected <= 1.7.49.5
In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig and the configuration allows undefined PHP functions to be registered
- CVE-2025-66843Dec 15, 2025affected <= 1.7.49.5
grav before v1.7.49.5 has a Stored Cross-Site Scripting (Stored XSS) vulnerability in the page editing functionality. An authenticated low-privileged user with permission to edit content can inject malicious JavaScript payloads into editable fields. The payload is stored on the s
- CVE-2025-65186Dec 2, 2025affected <= 1.7.49
Grav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize tags, allowing stored XSS payloads to execute when pages are viewed in the admin inte
- CVE-2025-66312Dec 1, 2025affected < 1.8.0-beta.27fixed 1.8.0-beta.27
This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/accounts/groups/Grupo endpoint of the G
- CVE-2025-66311Dec 1, 2025affected < 1.11.0-beta.1fixed 1.11.0-beta.1
This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav appli
- CVE-2025-66310Dec 1, 2025affected < 1.8.0-beta.27fixed 1.8.0-beta.27
This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav appli
- CVE-2025-66309Dec 1, 2025affected < 1.8.0-beta.27fixed 1.8.0-beta.27
This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav ap
Page 1 of 4