VYPR
Vendor

Getgrav

Products
4
CVEs
70
Across products
73
Status
Private

Products

4

Recent CVEs

70
View all 70 CVEs →
  • CVE-2026-42607CriMay 11, 2026
    risk 0.55cvss 9.1epss 0.04

    Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the "Direct Install" tool. While the system attempts to block direct .php file…

  • CVE-2026-42613CriMay 11, 2026
    risk 0.54cvss 9.4epss 0.01

    Grav is a file-based Web platform. Prior to 2.0.0-beta.2, the Login::register() method in the Login plugin accepts attacker-controlled groups and access fields from the registration POST data without server-side validation. When registration is enabled and groups or access are…

  • CVE-2026-42608CriMay 11, 2026
    risk 0.52cvss 9.1epss 0.01

    Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POST requests), an unauthenticated attacker can traverse the filesystem to create…

  • CVE-2026-42611HigMay 11, 2026
    risk 0.51cvss 8.9epss 0.00

    Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever…

  • CVE-2026-42844HigMay 12, 2026
    risk 0.50cvss 8.8epss 0.00

    Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges. This…

  • CVE-2026-42843HigMay 11, 2026
    risk 0.50cvss 8.8epss 0.00

    Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin…

  • CVE-2026-29924HigMar 30, 2026
    risk 0.49cvss 7.6epss 0.00

    Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload functionality in the admin panel and File Manager plugin.

  • CVE-2026-42612HigMay 11, 2026
    risk 0.48cvss 8.5epss 0.00

    Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a stored Cross-Site Scripting (XSS) vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss() function when handling…

  • CVE-2026-42609HigMay 11, 2026
    risk 0.46cvss 8.1epss 0.00

    Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a…

  • CVE-2026-42845HigMay 11, 2026
    risk 0.43cvss epss 0.01

    The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0 , there is an unauthenticated page-content overwrite via file upload (GHSA-w4rc-p66m-x6qq). Public form uploads now strip path components from the POST-supplied filename and hard-block page-content…

  • CVE-2020-36955MedJan 26, 2026
    risk 0.42cvss 6.4epss 0.01

    Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be…

  • CVE-2026-42610MedMay 11, 2026
    risk 0.35cvss 6.5epss 0.00

    Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the grav['accounts'] service. Attacker can programmatically load administrative…

  • CVE-2026-44737MedMay 11, 2026
    risk 0.33cvss epss 0.00

    grav-plugin-admin is the admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.10.49.5, the application fails to properly validate and sanitize user input in the data[header][title]…

  • CVE-2026-42842MedMay 11, 2026
    risk 0.28cvss 5.4epss 0.00

    The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin…

  • CVE-2026-7317MedApr 28, 2026
    risk 0.26cvss 5.0epss 0.00

    A vulnerability was found in Grav CMS up to 1.7.49.5/2.0.0-beta.1. Affected by this vulnerability is the function FileCache::doGet of the file system/src/Grav/Framework/Cache/Adapter/FileCache.php of the component Cache Value Handler. The manipulation results in deserialization.…

  • CVE-2026-42841MedMay 11, 2026
    risk 0.24cvss 4.8epss 0.00

    Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image…

  • CVE-2021-21425Apr 7, 2021
    risk 0.10cvss epss 0.80

    Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages. In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without needing any credentials. Particular method…

  • CVE-2021-29440Apr 13, 2021
    risk 0.04cvss epss 0.31

    Grav is a file based Web-platform. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate…

  • CVE-2026-56701Jun 23, 2026
    risk 0.00cvss epss 0.00

    Grav before 2.0.0-beta.2 contains an XML external entity injection vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexml_load_string without disabling external entity loading, enabling attackers to…

  • CVE-2026-11982Jun 18, 2026
    risk 0.00cvss epss 0.00

    Grav 2.0.0-rc.9 with Admin2 2.0.0-rc.14 contains a stored cross-site scripting (XSS) vulnerability in the Admin2 Pages API save flow.