Packagist (Composer) package
getgrav/grav
pkg:composer/getgrav/grav
Vulnerabilities (64)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-66308 | — | < 1.8.0-beta.27 | 1.8.0-beta.27 | Dec 1, 2025 | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/config/site endpoint of the Grav applic | ||
| CVE-2025-66307 | — | < 1.8.0-beta.27 | 1.8.0-beta.27 | Dec 1, 2025 | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a user enumeration and email disclosure vulnerability exists in Grav. The "Forgot Password" functionality at /admin/fo | ||
| CVE-2025-66306 | — | < 1.8.0-beta.27 | 1.8.0-beta.27 | Dec 1, 2025 | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR (Insecure Direct Object Reference) vulnerability in the Grav CMS Admin Panel which allows low-privilege users to access sensitive information from other accounts. Although direct account takeover is not p | ||
| CVE-2025-66305 | — | < 1.8.0-beta.27 | 1.8.0-beta.27 | Dec 1, 2025 | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Denial of Service (DoS) vulnerability was identified in the "Languages" submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input. | ||
| CVE-2025-66304 | — | < 1.8.0-beta.27 | 1.8.0-beta.27 | Dec 1, 2025 | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, users with read access on the user account management section of the admin panel can view the password hashes of all users, including the admin user. This exposure can potentially lead to privilege escalation if an attack | ||
| CVE-2025-66303 | — | < 1.8.0-beta.27 | 1.8.0-beta.27 | Dec 1, 2025 | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A Denial of Service (DoS) vulnerability has been identified in Grav related to the handling of scheduled_at parameters. Specifically, the application fails to properly sanitize input for cron expressions. By manipulating | ||
| CVE-2025-66302 | — | < 1.8.0-beta.27 | 1.8.0-beta.27 | Dec 1, 2025 | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A path traversal vulnerability has been identified in Grav CMS, allowing authenticated attackers with administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due to | ||
| CVE-2025-66301 | — | < 1.8.0-beta.27 | 1.8.0-beta.27 | Dec 1, 2025 | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permissions to change basic content on the form is now able to change the functioning | ||
| CVE-2025-66300 | — | < 1.8.0-beta.27 | 1.8.0-beta.27 | Dec 1, 2025 | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A low privilege user account with page editing privilege can read any server files using "Frontmatter" form. This includes Grav user account files (/grav/user/accounts/*.yaml), which store hashed user password, 2FA secret | ||
| CVE-2025-66299 | — | < 1.8.0-beta.27 | 1.8.0-beta.27 | Dec 1, 2025 | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (SSTI) that allows any authenticated user with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox. Since t | ||
| CVE-2025-66298 | — | < 1.8.0-beta.27 | 1.8.0-beta.27 | Dec 1, 2025 | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, having a simple form on site can reveal the whole Grav configuration details (including plugin configuration details) by using the correct POST payload to exploit a Server-Side Template (SST) vulnerability. Sensitive info | ||
| CVE-2025-66297 | — | < 1.8.0-beta.27 | 1.8.0-beta.27 | Dec 1, 2025 | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to adm | ||
| CVE-2025-66296 | — | < 1.8.0-beta.27 | 1.8.0-beta.27 | Dec 1, 2025 | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a privilege escalation vulnerability exists in Grav’s Admin plugin due to the absence of username uniqueness validation when creating users. A user with the create user permission can create a new account using the same u | ||
| CVE-2025-66294 | — | < 1.8.0-beta.27 | 1.8.0-beta.27 | Dec 1, 2025 | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be explo | ||
| CVE-2025-66295 | — | < 1.8.0-beta.27 | 1.8.0-beta.27 | Dec 1, 2025 | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\Nijat or ../Nijat), Grav writes the account YAML file to an u | ||
| CVE-2024-35498 | — | <= 1.7.45 | — | Jan 6, 2025 | A cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | ||
| CVE-2024-34082 | — | < 1.7.46 | 1.7.46 | May 15, 2024 | Grav is a file-based Web platform. Prior to version 1.7.46, a low privilege user account with page edit privilege can read any server files using Twig Syntax. This includes Grav user account files - `/grav/user/accounts/*.yaml`. This file stores hashed user password, 2FA secret, | ||
| CVE-2024-28119 | — | < 1.7.45 | 1.7.45 | Mar 21, 2024 | Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands. Twig processing of static pages can be enab | ||
| CVE-2024-28118 | — | < 1.7.45 | 1.7.45 | Mar 21, 2024 | Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from Grav context, an attacker can redefine config variable. As a result, attacker can bypass a previous SSTI mitigation. Twig processing o | ||
| CVE-2024-28117 | — | < 1.7.45 | 1.7.45 | Mar 21, 2024 | Grav is an open-source, flat-file content management system. Prior to version 1.7.45, Grav validates accessible functions through the Utils::isDangerousFunction function, but does not impose restrictions on twig functions like twig_array_map, allowing attackers to bypass the vali |
- CVE-2025-66308Dec 1, 2025affected < 1.8.0-beta.27fixed 1.8.0-beta.27
This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/config/site endpoint of the Grav applic
- CVE-2025-66307Dec 1, 2025affected < 1.8.0-beta.27fixed 1.8.0-beta.27
This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a user enumeration and email disclosure vulnerability exists in Grav. The "Forgot Password" functionality at /admin/fo
- CVE-2025-66306Dec 1, 2025affected < 1.8.0-beta.27fixed 1.8.0-beta.27
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR (Insecure Direct Object Reference) vulnerability in the Grav CMS Admin Panel which allows low-privilege users to access sensitive information from other accounts. Although direct account takeover is not p
- CVE-2025-66305Dec 1, 2025affected < 1.8.0-beta.27fixed 1.8.0-beta.27
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Denial of Service (DoS) vulnerability was identified in the "Languages" submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input.
- CVE-2025-66304Dec 1, 2025affected < 1.8.0-beta.27fixed 1.8.0-beta.27
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, users with read access on the user account management section of the admin panel can view the password hashes of all users, including the admin user. This exposure can potentially lead to privilege escalation if an attack
- CVE-2025-66303Dec 1, 2025affected < 1.8.0-beta.27fixed 1.8.0-beta.27
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A Denial of Service (DoS) vulnerability has been identified in Grav related to the handling of scheduled_at parameters. Specifically, the application fails to properly sanitize input for cron expressions. By manipulating
- CVE-2025-66302Dec 1, 2025affected < 1.8.0-beta.27fixed 1.8.0-beta.27
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A path traversal vulnerability has been identified in Grav CMS, allowing authenticated attackers with administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due to
- CVE-2025-66301Dec 1, 2025affected < 1.8.0-beta.27fixed 1.8.0-beta.27
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permissions to change basic content on the form is now able to change the functioning
- CVE-2025-66300Dec 1, 2025affected < 1.8.0-beta.27fixed 1.8.0-beta.27
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A low privilege user account with page editing privilege can read any server files using "Frontmatter" form. This includes Grav user account files (/grav/user/accounts/*.yaml), which store hashed user password, 2FA secret
- CVE-2025-66299Dec 1, 2025affected < 1.8.0-beta.27fixed 1.8.0-beta.27
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (SSTI) that allows any authenticated user with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox. Since t
- CVE-2025-66298Dec 1, 2025affected < 1.8.0-beta.27fixed 1.8.0-beta.27
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, having a simple form on site can reveal the whole Grav configuration details (including plugin configuration details) by using the correct POST payload to exploit a Server-Side Template (SST) vulnerability. Sensitive info
- CVE-2025-66297Dec 1, 2025affected < 1.8.0-beta.27fixed 1.8.0-beta.27
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to adm
- CVE-2025-66296Dec 1, 2025affected < 1.8.0-beta.27fixed 1.8.0-beta.27
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a privilege escalation vulnerability exists in Grav’s Admin plugin due to the absence of username uniqueness validation when creating users. A user with the create user permission can create a new account using the same u
- CVE-2025-66294Dec 1, 2025affected < 1.8.0-beta.27fixed 1.8.0-beta.27
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be explo
- CVE-2025-66295Dec 1, 2025affected < 1.8.0-beta.27fixed 1.8.0-beta.27
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\Nijat or ../Nijat), Grav writes the account YAML file to an u
- CVE-2024-35498Jan 6, 2025affected <= 1.7.45
A cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- CVE-2024-34082May 15, 2024affected < 1.7.46fixed 1.7.46
Grav is a file-based Web platform. Prior to version 1.7.46, a low privilege user account with page edit privilege can read any server files using Twig Syntax. This includes Grav user account files - `/grav/user/accounts/*.yaml`. This file stores hashed user password, 2FA secret,
- CVE-2024-28119Mar 21, 2024affected < 1.7.45fixed 1.7.45
Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands. Twig processing of static pages can be enab
- CVE-2024-28118Mar 21, 2024affected < 1.7.45fixed 1.7.45
Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from Grav context, an attacker can redefine config variable. As a result, attacker can bypass a previous SSTI mitigation. Twig processing o
- CVE-2024-28117Mar 21, 2024affected < 1.7.45fixed 1.7.45
Grav is an open-source, flat-file content management system. Prior to version 1.7.45, Grav validates accessible functions through the Utils::isDangerousFunction function, but does not impose restrictions on twig functions like twig_array_map, allowing attackers to bypass the vali
Page 2 of 4