Grav
by Getgrav
Source repositories
CVEs (65)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-66294 | 0.00 | — | 0.03 | Dec 1, 2025 | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be… | |||
| CVE-2025-66295 | 0.00 | — | 0.00 | Dec 1, 2025 | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\Nijat or ../Nijat), Grav writes the account YAML file to an… | |||
| CVE-2025-46199 | 0.00 | — | 0.01 | Jul 25, 2025 | Cross Site Scripting vulnerability in grav v.1.7.48 and before allows an attacker to execute arbitrary code via a crafted script to the form fields | |||
| CVE-2025-46198 | 0.00 | — | 0.01 | Jul 25, 2025 | Cross Site Scripting vulnerability in grav v.1.7.48, v.1.7.47 and v.1.7.46 allows an attacker to execute arbitrary code via the onerror attribute of the img element | |||
| CVE-2024-34082 | 0.00 | — | 0.03 | May 15, 2024 | Grav is a file-based Web platform. Prior to version 1.7.46, a low privilege user account with page edit privilege can read any server files using Twig Syntax. This includes Grav user account files - `/grav/user/accounts/*.yaml`. This file stores hashed user password, 2FA secret,… | |||
| CVE-2024-28119 | 0.00 | — | 0.02 | Mar 21, 2024 | Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands. Twig processing of static pages can be… | |||
| CVE-2024-28118 | 0.00 | — | 0.01 | Mar 21, 2024 | Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from Grav context, an attacker can redefine config variable. As a result, attacker can bypass a previous SSTI mitigation. Twig processing… | |||
| CVE-2024-28117 | 0.00 | — | 0.01 | Mar 21, 2024 | Grav is an open-source, flat-file content management system. Prior to version 1.7.45, Grav validates accessible functions through the Utils::isDangerousFunction function, but does not impose restrictions on twig functions like twig_array_map, allowing attackers to bypass the… | |||
| CVE-2024-28116 | 0.00 | — | 0.06 | Mar 21, 2024 | Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server… | |||
| CVE-2024-27921 | 0.00 | — | 0.61 | Mar 21, 2024 | Grav is an open-source, flat-file content management system. A file upload path traversal vulnerability has been identified in the application prior to version 1.7.45, enabling attackers to replace or create files with extensions like .json, .zip, .css, .gif, etc. This critical… | |||
| CVE-2024-27923 | 0.00 | — | 0.01 | Mar 6, 2024 | Grav is a content management system (CMS). Prior to version 1.7.43, users who may write a page may use the `frontmatter` feature due to insufficient permission validation and inadequate file name validation. This may lead to remote code execution. Version 1.7.43 fixes this issue. | |||
| CVE-2023-37897 | 0.00 | — | 0.02 | Jul 18, 2023 | Grav is a file-based Web-platform built in PHP. Grav is subject to a server side template injection (SSTI) vulnerability. The fix for another SSTI vulnerability using `|map`, `|filter` and `|reduce` twigs implemented in the commit `71bbed1` introduces bypass of the denylist due… | |||
| CVE-2023-34452 | 0.00 | — | 0.01 | Jun 14, 2023 | Grav is a flat-file content management system. In versions 1.7.42 and prior, the "/forgot_password" page has a self-reflected cross-site scripting vulnerability that can be exploited by injecting a script into the "email" parameter of the request. While this vulnerability can… | |||
| CVE-2023-34448 | 0.00 | — | 0.05 | Jun 14, 2023 | Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig's Core Extension that… | |||
| CVE-2023-34253 | 0.00 | — | 0.02 | Jun 14, 2023 | Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using… | |||
| CVE-2023-34252 | 0.00 | — | 0.02 | Jun 14, 2023 | Grav is a flat-file content management system. Prior to version 1.7.42, there is a logic flaw in the `GravExtension.filterFilter()` function whereby validation against a denylist of unsafe functions is only performed when the argument passed to filter is a string. However,… | |||
| CVE-2023-34251 | 0.00 | — | 0.02 | Jun 14, 2023 | Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains… | |||
| CVE-2022-2073 | 0.00 | — | 0.10 | Jun 29, 2022 | Code Injection in GitHub repository getgrav/grav prior to 1.7.34. | |||
| CVE-2022-1173 | 0.00 | — | 0.01 | Apr 26, 2022 | stored xss in GitHub repository getgrav/grav prior to 1.7.33. | |||
| CVE-2022-0970 | 0.00 | — | 0.02 | Mar 15, 2022 | Cross-site Scripting (XSS) - Stored in GitHub repository getgrav/grav prior to 1.7.31. |
- CVE-2025-66294Dec 1, 2025risk 0.00cvss —epss 0.03
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be…
- CVE-2025-66295Dec 1, 2025risk 0.00cvss —epss 0.00
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\Nijat or ../Nijat), Grav writes the account YAML file to an…
- CVE-2025-46199Jul 25, 2025risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in grav v.1.7.48 and before allows an attacker to execute arbitrary code via a crafted script to the form fields
- CVE-2025-46198Jul 25, 2025risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in grav v.1.7.48, v.1.7.47 and v.1.7.46 allows an attacker to execute arbitrary code via the onerror attribute of the img element
- CVE-2024-34082May 15, 2024risk 0.00cvss —epss 0.03
Grav is a file-based Web platform. Prior to version 1.7.46, a low privilege user account with page edit privilege can read any server files using Twig Syntax. This includes Grav user account files - `/grav/user/accounts/*.yaml`. This file stores hashed user password, 2FA secret,…
- CVE-2024-28119Mar 21, 2024risk 0.00cvss —epss 0.02
Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands. Twig processing of static pages can be…
- CVE-2024-28118Mar 21, 2024risk 0.00cvss —epss 0.01
Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from Grav context, an attacker can redefine config variable. As a result, attacker can bypass a previous SSTI mitigation. Twig processing…
- CVE-2024-28117Mar 21, 2024risk 0.00cvss —epss 0.01
Grav is an open-source, flat-file content management system. Prior to version 1.7.45, Grav validates accessible functions through the Utils::isDangerousFunction function, but does not impose restrictions on twig functions like twig_array_map, allowing attackers to bypass the…
- CVE-2024-28116Mar 21, 2024risk 0.00cvss —epss 0.06
Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server…
- CVE-2024-27921Mar 21, 2024risk 0.00cvss —epss 0.61
Grav is an open-source, flat-file content management system. A file upload path traversal vulnerability has been identified in the application prior to version 1.7.45, enabling attackers to replace or create files with extensions like .json, .zip, .css, .gif, etc. This critical…
- CVE-2024-27923Mar 6, 2024risk 0.00cvss —epss 0.01
Grav is a content management system (CMS). Prior to version 1.7.43, users who may write a page may use the `frontmatter` feature due to insufficient permission validation and inadequate file name validation. This may lead to remote code execution. Version 1.7.43 fixes this issue.
- CVE-2023-37897Jul 18, 2023risk 0.00cvss —epss 0.02
Grav is a file-based Web-platform built in PHP. Grav is subject to a server side template injection (SSTI) vulnerability. The fix for another SSTI vulnerability using `|map`, `|filter` and `|reduce` twigs implemented in the commit `71bbed1` introduces bypass of the denylist due…
- CVE-2023-34452Jun 14, 2023risk 0.00cvss —epss 0.01
Grav is a flat-file content management system. In versions 1.7.42 and prior, the "/forgot_password" page has a self-reflected cross-site scripting vulnerability that can be exploited by injecting a script into the "email" parameter of the request. While this vulnerability can…
- CVE-2023-34448Jun 14, 2023risk 0.00cvss —epss 0.05
Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig's Core Extension that…
- CVE-2023-34253Jun 14, 2023risk 0.00cvss —epss 0.02
Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using…
- CVE-2023-34252Jun 14, 2023risk 0.00cvss —epss 0.02
Grav is a flat-file content management system. Prior to version 1.7.42, there is a logic flaw in the `GravExtension.filterFilter()` function whereby validation against a denylist of unsafe functions is only performed when the argument passed to filter is a string. However,…
- CVE-2023-34251Jun 14, 2023risk 0.00cvss —epss 0.02
Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains…
- CVE-2022-2073Jun 29, 2022risk 0.00cvss —epss 0.10
Code Injection in GitHub repository getgrav/grav prior to 1.7.34.
- CVE-2022-1173Apr 26, 2022risk 0.00cvss —epss 0.01
stored xss in GitHub repository getgrav/grav prior to 1.7.33.
- CVE-2022-0970Mar 15, 2022risk 0.00cvss —epss 0.02
Cross-site Scripting (XSS) - Stored in GitHub repository getgrav/grav prior to 1.7.31.
Page 3 of 4