Grav CMS
Products
3- 6 CVEs
- 4 CVEs
- 4 CVEs
Recent CVEs
12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-21425 | Cri | 0.70 | 9.3 | 0.80 | Apr 7, 2021 | Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages. In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without needing any credentials. Particular method… | ||
| CVE-2025-46199 | Cri | 0.64 | 9.8 | 0.01 | Jul 25, 2025 | Cross Site Scripting vulnerability in grav v.1.7.48 and before allows an attacker to execute arbitrary code via a crafted script to the form fields | ||
| CVE-2025-46198 | Hig | 0.57 | 8.8 | 0.01 | Jul 25, 2025 | Cross Site Scripting vulnerability in grav v.1.7.48, v.1.7.47 and v.1.7.46 allows an attacker to execute arbitrary code via the onerror attribute of the img element | ||
| CVE-2020-36955 | Med | 0.42 | 6.4 | 0.01 | Jan 26, 2026 | Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be… | ||
| CVE-2024-35498 | Med | 0.40 | 6.1 | 0.00 | Jan 6, 2025 | A cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | ||
| CVE-2023-34452 | Med | 0.35 | 5.4 | 0.01 | Jun 14, 2023 | Grav is a flat-file content management system. In versions 1.7.42 and prior, the "/forgot_password" page has a self-reflected cross-site scripting vulnerability that can be exploited by injecting a script into the "email" parameter of the request. While this vulnerability can… | ||
| CVE-2026-55885 | 0.00 | — | — | Jun 18, 2026 | ### Summary An authenticated administrator with backup permissions can download a ZIP archive containing the full Grav installation root, including `user/accounts/admin.yaml` with the admin's bcrypt password hash and email, plus `user/config/` with all site configuration. The… | |||
| CVE-2021-47812 | 0.00 | — | 0.02 | Jan 15, 2026 | GravCMS 1.10.7 contains an unauthenticated vulnerability that allows remote attackers to write arbitrary YAML configuration and execute PHP code through the scheduler endpoint. Attackers can exploit the admin-nonce parameter to inject base64-encoded payloads and create malicious… | |||
| CVE-2025-63593 | 0.00 | — | 0.00 | Nov 3, 2025 | Grav CMS1.7.49.5 is vulnerable to Cross Site Scripting (XSS). | |||
| CVE-2021-3920 | Med | 0.00 | 5.4 | 0.01 | Nov 19, 2021 | grav-plugin-admin is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | ||
| CVE-2021-3799 | Med | 0.00 | 5.4 | 0.02 | Sep 27, 2021 | grav-plugin-admin is vulnerable to Improper Restriction of Rendered UI Layers or Frames | ||
| CVE-2021-29439 | Hig | 0.00 | 7.2 | 0.03 | Apr 13, 2021 | The Grav admin plugin prior to version 1.10.11 does not correctly verify caller's privileges. As a consequence, users with the permission `admin.login` can install third-party plugins and their dependencies. By installing the right plugin, an attacker can obtain an arbitrary… |
- risk 0.70cvss 9.3epss 0.80
Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages. In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without needing any credentials. Particular method…
- risk 0.64cvss 9.8epss 0.01
Cross Site Scripting vulnerability in grav v.1.7.48 and before allows an attacker to execute arbitrary code via a crafted script to the form fields
- risk 0.57cvss 8.8epss 0.01
Cross Site Scripting vulnerability in grav v.1.7.48, v.1.7.47 and v.1.7.46 allows an attacker to execute arbitrary code via the onerror attribute of the img element
- risk 0.42cvss 6.4epss 0.01
Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be…
- risk 0.40cvss 6.1epss 0.00
A cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- risk 0.35cvss 5.4epss 0.01
Grav is a flat-file content management system. In versions 1.7.42 and prior, the "/forgot_password" page has a self-reflected cross-site scripting vulnerability that can be exploited by injecting a script into the "email" parameter of the request. While this vulnerability can…
- CVE-2026-55885Jun 18, 2026risk 0.00cvss —epss —
### Summary An authenticated administrator with backup permissions can download a ZIP archive containing the full Grav installation root, including `user/accounts/admin.yaml` with the admin's bcrypt password hash and email, plus `user/config/` with all site configuration. The…
- CVE-2021-47812Jan 15, 2026risk 0.00cvss —epss 0.02
GravCMS 1.10.7 contains an unauthenticated vulnerability that allows remote attackers to write arbitrary YAML configuration and execute PHP code through the scheduler endpoint. Attackers can exploit the admin-nonce parameter to inject base64-encoded payloads and create malicious…
- CVE-2025-63593Nov 3, 2025risk 0.00cvss —epss 0.00
Grav CMS1.7.49.5 is vulnerable to Cross Site Scripting (XSS).
- risk 0.00cvss 5.4epss 0.01
grav-plugin-admin is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- risk 0.00cvss 5.4epss 0.02
grav-plugin-admin is vulnerable to Improper Restriction of Rendered UI Layers or Frames
- risk 0.00cvss 7.2epss 0.03
The Grav admin plugin prior to version 1.10.11 does not correctly verify caller's privileges. As a consequence, users with the permission `admin.login` can install third-party plugins and their dependencies. By installing the right plugin, an attacker can obtain an arbitrary…