VYPR
Vendor

Grav CMS

Products
3
CVEs
12
Across products
14
Status
Private

Products

3

Recent CVEs

12
  • CVE-2021-21425CriApr 7, 2021
    risk 0.70cvss 9.3epss 0.80

    Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages. In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without needing any credentials. Particular method…

  • CVE-2025-46199CriJul 25, 2025
    risk 0.64cvss 9.8epss 0.01

    Cross Site Scripting vulnerability in grav v.1.7.48 and before allows an attacker to execute arbitrary code via a crafted script to the form fields

  • CVE-2025-46198HigJul 25, 2025
    risk 0.57cvss 8.8epss 0.01

    Cross Site Scripting vulnerability in grav v.1.7.48, v.1.7.47 and v.1.7.46 allows an attacker to execute arbitrary code via the onerror attribute of the img element

  • CVE-2020-36955MedJan 26, 2026
    risk 0.42cvss 6.4epss 0.01

    Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be…

  • CVE-2024-35498MedJan 6, 2025
    risk 0.40cvss 6.1epss 0.00

    A cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

  • CVE-2023-34452MedJun 14, 2023
    risk 0.35cvss 5.4epss 0.01

    Grav is a flat-file content management system. In versions 1.7.42 and prior, the "/forgot_password" page has a self-reflected cross-site scripting vulnerability that can be exploited by injecting a script into the "email" parameter of the request. While this vulnerability can…

  • CVE-2026-55885Jun 18, 2026
    risk 0.00cvss epss

    ### Summary An authenticated administrator with backup permissions can download a ZIP archive containing the full Grav installation root, including `user/accounts/admin.yaml` with the admin's bcrypt password hash and email, plus `user/config/` with all site configuration. The…

  • CVE-2021-47812Jan 15, 2026
    risk 0.00cvss epss 0.02

    GravCMS 1.10.7 contains an unauthenticated vulnerability that allows remote attackers to write arbitrary YAML configuration and execute PHP code through the scheduler endpoint. Attackers can exploit the admin-nonce parameter to inject base64-encoded payloads and create malicious…

  • CVE-2025-63593Nov 3, 2025
    risk 0.00cvss epss 0.00

    Grav CMS1.7.49.5 is vulnerable to Cross Site Scripting (XSS).

  • CVE-2021-3920MedNov 19, 2021
    risk 0.00cvss 5.4epss 0.01

    grav-plugin-admin is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CVE-2021-3799MedSep 27, 2021
    risk 0.00cvss 5.4epss 0.02

    grav-plugin-admin is vulnerable to Improper Restriction of Rendered UI Layers or Frames

  • CVE-2021-29439HigApr 13, 2021
    risk 0.00cvss 7.2epss 0.03

    The Grav admin plugin prior to version 1.10.11 does not correctly verify caller's privileges. As a consequence, users with the permission `admin.login` can install third-party plugins and their dependencies. By installing the right plugin, an attacker can obtain an arbitrary…