GravCMS
by Grav CMS
Source repositories
CVEs (7)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-36955 | Med | 0.42 | 6.4 | 0.01 | Jan 26, 2026 | Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be… | ||
| CVE-2021-21425 | 0.10 | — | 0.80 | Apr 7, 2021 | Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages. In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without needing any credentials. Particular method… | |||
| CVE-2021-47812 | 0.00 | — | 0.02 | Jan 15, 2026 | GravCMS 1.10.7 contains an unauthenticated vulnerability that allows remote attackers to write arbitrary YAML configuration and execute PHP code through the scheduler endpoint. Attackers can exploit the admin-nonce parameter to inject base64-encoded payloads and create malicious… | |||
| CVE-2025-63593 | 0.00 | — | 0.00 | Nov 3, 2025 | Grav CMS1.7.49.5 is vulnerable to Cross Site Scripting (XSS). | |||
| CVE-2025-46199 | 0.00 | — | 0.01 | Jul 25, 2025 | Cross Site Scripting vulnerability in grav v.1.7.48 and before allows an attacker to execute arbitrary code via a crafted script to the form fields | |||
| CVE-2025-46198 | 0.00 | — | 0.01 | Jul 25, 2025 | Cross Site Scripting vulnerability in grav v.1.7.48, v.1.7.47 and v.1.7.46 allows an attacker to execute arbitrary code via the onerror attribute of the img element | |||
| CVE-2024-35498 | 0.00 | — | 0.00 | Jan 6, 2025 | A cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |
- risk 0.42cvss 6.4epss 0.01
Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be…
- CVE-2021-21425Apr 7, 2021risk 0.10cvss —epss 0.80
Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages. In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without needing any credentials. Particular method…
- CVE-2021-47812Jan 15, 2026risk 0.00cvss —epss 0.02
GravCMS 1.10.7 contains an unauthenticated vulnerability that allows remote attackers to write arbitrary YAML configuration and execute PHP code through the scheduler endpoint. Attackers can exploit the admin-nonce parameter to inject base64-encoded payloads and create malicious…
- CVE-2025-63593Nov 3, 2025risk 0.00cvss —epss 0.00
Grav CMS1.7.49.5 is vulnerable to Cross Site Scripting (XSS).
- CVE-2025-46199Jul 25, 2025risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in grav v.1.7.48 and before allows an attacker to execute arbitrary code via a crafted script to the form fields
- CVE-2025-46198Jul 25, 2025risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in grav v.1.7.48, v.1.7.47 and v.1.7.46 allows an attacker to execute arbitrary code via the onerror attribute of the img element
- CVE-2024-35498Jan 6, 2025risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.