Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

Grav — Vulnerabilities & Security Advisories 47

All 47 CVE vulnerabilities found in Grav, with AI-generated Chinese analysis, references, and POCs.

This page documents security weaknesses associated with the Grav content management system, categorized under common vulnerability classifications and tags maintained by security vendors. It aggregates reported security incidents, flaw descriptions, and impact assessments related to this specific open-source platform. The collection spans a comprehensive historical range, capturing incidents from initial releases through recent updates to ensure a complete timeline of exposure events. Readers can utilize this resource to track vendor advisories for the Grav ecosystem, gaining insight into how the developer addresses specific security risks. It also serves as a reference for understanding the broader implications of specific weakness classes as they apply to this technology stack. Furthermore, users can look up the product’s vulnerability history to assess long-term security trends and remediation effectiveness over time. This structured approach allows security professionals, developers, and auditors to contextualize individual flaws within the larger lifecycle of the software. By consolidating disparate reports into a single view, the page facilitates easier risk assessment and compliance auditing for organizations relying on Grav. The data is organized to highlight patterns in vulnerability types, helping stakeholders identify recurring issues that may require architectural changes or strict patch management policies. Access to this aggregated information supports informed decision-making regarding system hardening and update schedules without the need to consult multiple disparate sources.

Vendor: getgrav

CVE IDTitleCVSSSeverityPublished
CVE-2026-56700 Grav - Multiple Remote Code Execution Vulnerabilities via Unsafe Unserialize and Command Injection CWE-78 9.8 Critical2026-06-30
CVE-2020-37256 Grav - Cross-Site Scripting in Admin Plugin Page Editor CWE-79 5.4 Medium2026-06-25
CVE-2026-56701 Grav - XML External Entity Injection via SVG Upload CWE-611 6.5 Medium2026-06-23
CVE-2026-42844 Grav: Low-privileged API users can create super-admin accounts via blueprint-upload CWE-434--2026-05-12
CVE-2026-44738 Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray() CWE-200 7.7 High2026-05-11
CVE-2026-42842 grav-plugin-form: XSS via Taxonomy Field Values in Admin Panel CWE-79 5.4 Medium2026-05-11
CVE-2026-42613 Grav: Privilege Escalation via Missing Server-Side Validation of groups/access CWE-20 9.4 Critical2026-05-11
CVE-2026-42612 Grav: Publisher-Level Stored XSS via Unquoted Event Attributes CWE-79 8.5 High2026-05-11
CVE-2026-42611 Grav: Stored XSS via Tag Injection CWE-79 8.9 High2026-05-11
CVE-2026-42610 Grav: Sensitive Information Disclosure via Accounts Service Bypass CWE-863 6.5 Medium2026-05-11
CVE-2026-42609 Grav: Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic CWE-269 8.1 High2026-05-11
CVE-2026-42608 Grav: Unauthenticated Path Traversal & Arbitrary File Write in FormFlash component. CWE-22--2026-05-11
CVE-2026-42607 Grav: Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature CWE-94 9.1 Critical2026-05-11
CVE-2026-42841 Grav: Stored XSS via Markdown media attribute() action in Grav CMS CWE-79--2026-05-11
CVE-2025-66312 Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]` CWE-79 5.4AIMediumAI2025-12-01
CVE-2025-66311 Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters CWE-79 5.4AIMediumAI2025-12-01
CVE-2025-66310 Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced Tab CWE-79 5.4AIMediumAI2025-12-01
CVE-2025-66309 Grav vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab CWE-79 6.1AIMediumAI2025-12-01
CVE-2025-66308 Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]` CWE-79 5.4AIMediumAI2025-12-01
CVE-2025-66307 Grav Admin Plugin vulnerable to User Enumeration & Email Disclosure CWE-204 6.5 Medium2025-12-01
CVE-2025-66306 Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel CWE-639 4.3 Medium2025-12-01
CVE-2025-66305 Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter CWE-248 4.9AIMediumAI2025-12-01
CVE-2025-66304 Grav Exposes Password Hashes Leading to privilege escalation CWE-200 6.2 Medium2025-12-01
CVE-2025-66303 Grav is vulnerable to a DOS on the admin panel CWE-400 4.9 Medium2025-12-01
CVE-2025-66302 Grav vulnerable to Path Traversal allowing server files backup CWE-22 6.8 Medium2025-12-01
CVE-2025-66301 Grav ihas Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions CWE-285 4.3AIMediumAI2025-12-01
CVE-2025-66300 Grav is vulnerable to Arbitrary File Read CWE-22 8.5 High2025-12-01
CVE-2025-66299 Security Sandbox Bypass with SSTI (Server Side Template Injection) in the Grav CMS CWE-94 8.8 High2025-12-01
CVE-2025-66298 Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms CWE-1336 5.3AIMediumAI2025-12-01
CVE-2025-66297 Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection CWE-1336 7.2AIHighAI2025-12-01

All 47 known CVE vulnerabilities affecting Grav with full Chinese analysis, references, and POCs where available.