Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

Grav — Vulnerabilities & Security Advisories 60

All 60 CVE vulnerabilities found in Grav, with AI-generated Chinese analysis, references, and POCs.

This page documents security weaknesses associated with the Grav content management system, categorized under common vulnerability classifications and tags maintained by security vendors. It aggregates reported security incidents, flaw descriptions, and impact assessments related to this specific open-source platform. The collection spans a comprehensive historical range, capturing incidents from initial releases through recent updates to ensure a complete timeline of exposure events. Readers can utilize this resource to track vendor advisories for the Grav ecosystem, gaining insight into how the developer addresses specific security risks. It also serves as a reference for understanding the broader implications of specific weakness classes as they apply to this technology stack. Furthermore, users can look up the product’s vulnerability history to assess long-term security trends and remediation effectiveness over time. This structured approach allows security professionals, developers, and auditors to contextualize individual flaws within the larger lifecycle of the software. By consolidating disparate reports into a single view, the page facilitates easier risk assessment and compliance auditing for organizations relying on Grav. The data is organized to highlight patterns in vulnerability types, helping stakeholders identify recurring issues that may require architectural changes or strict patch management policies. Access to this aggregated information supports informed decision-making regarding system hardening and update schedules without the need to consult multiple disparate sources.

Vendor: getgrav

CVE IDTitleCVSSSeverityPublished
CVE-2026-59193 Grav CMS — Improper Handling of Highly Compressed Data in Installer::unZip() CWE-409--2026-07-10
CVE-2026-59190 Grav Admin Plugin — IDOR Privilege Escalation via saveUser() CWE-639--2026-07-10
CVE-2026-58493 grav-plugin-database: DSN Parameter Injection via Unsanitized Configuration Values in Connection String Construction CWE-74--2026-07-10
CVE-2026-58492 grav-plugin-database: SQL Injection in PDO::tableExists() due to Unsanitized Table Name Interpolation CWE-89--2026-07-10
CVE-2026-55890 Grav: Stored CSS injection via Markdown image ?style=… reaches MediaObjectTrait::style() CWE-79 4.8 Medium2026-07-10
CVE-2026-55885 Grav: Admin Backup Zip File Exposes Account Credentials and Configuration Secrets CWE-312 6.8 Medium2026-07-10
CVE-2026-53653 Grav: Unauthenticated denial of service via unbounded image derivative dimensions CWE-770--2026-07-10
CVE-2026-61456 Grav before 1.0.3 Stored XSS via SVG Upload API CWE-79 4.6 Medium2026-07-10
CVE-2026-61455 Grav before 2.0.1 Decompression Bomb via ZipArchiver CWE-409 6.5 Medium2026-07-10
CVE-2026-61450 Grav before 2.0.2 Config Exfiltration via offsetGet Filter CWE-94 6.5 Medium2026-07-10
CVE-2026-58657 Grav - Stored CSS Injection via Markdown Image resize() Action CWE-79 4.8 Medium2026-07-08
CVE-2026-58656 Grav API Plugin - Cross-Origin Admin Account Takeover via CORS Wildcard and JWT Query Parameter CWE-598 7.5 High2026-07-08
CVE-2026-58654 Grav - Arbitrary File Upload via Avatar Endpoint CWE-434 4.3 Medium2026-07-08
CVE-2026-56700 Grav - Multiple Remote Code Execution Vulnerabilities via Unsafe Unserialize and Command Injection CWE-78 9.8 Critical2026-06-30
CVE-2020-37256 Grav - Cross-Site Scripting in Admin Plugin Page Editor CWE-79 5.4 Medium2026-06-25
CVE-2026-56701 Grav - XML External Entity Injection via SVG Upload CWE-611 6.5 Medium2026-06-23
CVE-2026-42844 Grav: Low-privileged API users can create super-admin accounts via blueprint-upload CWE-434--2026-05-12
CVE-2026-44738 Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray() CWE-200 7.7 High2026-05-11
CVE-2026-42842 grav-plugin-form: XSS via Taxonomy Field Values in Admin Panel CWE-79 5.4 Medium2026-05-11
CVE-2026-42613 Grav: Privilege Escalation via Missing Server-Side Validation of groups/access CWE-20 9.4 Critical2026-05-11
CVE-2026-42612 Grav: Publisher-Level Stored XSS via Unquoted Event Attributes CWE-79 8.5 High2026-05-11
CVE-2026-42611 Grav: Stored XSS via Tag Injection CWE-79 8.9 High2026-05-11
CVE-2026-42610 Grav: Sensitive Information Disclosure via Accounts Service Bypass CWE-863 6.5 Medium2026-05-11
CVE-2026-42609 Grav: Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic CWE-269 8.1 High2026-05-11
CVE-2026-42608 Grav: Unauthenticated Path Traversal & Arbitrary File Write in FormFlash component. CWE-22--2026-05-11
CVE-2026-42607 Grav: Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature CWE-94 9.1 Critical2026-05-11
CVE-2026-42841 Grav: Stored XSS via Markdown media attribute() action in Grav CMS CWE-79--2026-05-11
CVE-2025-66312 Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]` CWE-79 5.4AIMediumAI2025-12-01
CVE-2025-66311 Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters CWE-79 5.4AIMediumAI2025-12-01
CVE-2025-66310 Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced Tab CWE-79 5.4AIMediumAI2025-12-01

All 60 known CVE vulnerabilities affecting Grav with full Chinese analysis, references, and POCs where available.