Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

grav — Vulnerabilities & Security Advisories 44

All 44 CVE vulnerabilities found in grav, with AI-generated Chinese analysis, references, and POCs.

This page provides a comprehensive aggregation of security vulnerabilities associated with Grav, an open-source flat-file CMS developed by the Rocket team. It collects data regarding Common Weakness Enumerations (CWE) affecting this specific software, focusing on flaws such as insecure direct object references, cross-site scripting, and path traversal issues. The database covers vulnerability reports from the earliest public disclosures up to the most recent updates, ensuring a historical view of the product's security landscape. Visitors to this resource can track advisories released by the Grav vendor to understand how quickly critical issues are patched and communicated. Users may also explore the broader context of a specific weakness class within the Grav ecosystem to assess the severity and frequency of such bugs. Furthermore, the page allows for a detailed look-up of a product’s vulnerability history, enabling security researchers and administrators to review past incidents and identify patterns in code quality or design flaws. This information aids in making informed decisions about system maintenance, patching priorities, and risk mitigation strategies. By centralizing these details, the page serves as a single point of reference for anyone evaluating the current security posture of Grav instances. It is essential for developers to review these entries to ensure their deployments are protected against known exploits. The aggregated data supports both proactive defense measures and post-incident analysis for organizations relying on this CMS infrastructure.

Vendor: getgrav

CVE IDTitleCVSSSeverityPublished
CVE-2026-42844 Grav: Low-privileged API users can create super-admin accounts via blueprint-upload CWE-434--2026-05-12
CVE-2026-44738 Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray() CWE-200 7.7 High2026-05-11
CVE-2026-42842 grav-plugin-form: XSS via Taxonomy Field Values in Admin Panel CWE-79 5.4 Medium2026-05-11
CVE-2026-42613 Grav: Privilege Escalation via Missing Server-Side Validation of groups/access CWE-20 9.4 Critical2026-05-11
CVE-2026-42612 Grav: Publisher-Level Stored XSS via Unquoted Event Attributes CWE-79 8.5 High2026-05-11
CVE-2026-42611 Grav: Stored XSS via Tag Injection CWE-79 8.9 High2026-05-11
CVE-2026-42610 Grav: Sensitive Information Disclosure via Accounts Service Bypass CWE-863 6.5 Medium2026-05-11
CVE-2026-42609 Grav: Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic CWE-269 8.1 High2026-05-11
CVE-2026-42608 Grav: Unauthenticated Path Traversal & Arbitrary File Write in FormFlash component. CWE-22--2026-05-11
CVE-2026-42607 Grav: Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature CWE-94 9.1 Critical2026-05-11
CVE-2026-42841 Grav: Stored XSS via Markdown media attribute() action in Grav CMS CWE-79--2026-05-11
CVE-2025-66312 Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]` CWE-79 5.4AIMediumAI2025-12-01
CVE-2025-66311 Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters CWE-79 5.4AIMediumAI2025-12-01
CVE-2025-66310 Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced Tab CWE-79 5.4AIMediumAI2025-12-01
CVE-2025-66309 Grav vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab CWE-79 6.1AIMediumAI2025-12-01
CVE-2025-66308 Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]` CWE-79 5.4AIMediumAI2025-12-01
CVE-2025-66307 Grav Admin Plugin vulnerable to User Enumeration & Email Disclosure CWE-204 6.5 Medium2025-12-01
CVE-2025-66306 Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel CWE-639 4.3 Medium2025-12-01
CVE-2025-66305 Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter CWE-248 4.9AIMediumAI2025-12-01
CVE-2025-66304 Grav Exposes Password Hashes Leading to privilege escalation CWE-200 6.2 Medium2025-12-01
CVE-2025-66303 Grav is vulnerable to a DOS on the admin panel CWE-400 4.9 Medium2025-12-01
CVE-2025-66302 Grav vulnerable to Path Traversal allowing server files backup CWE-22 6.8 Medium2025-12-01
CVE-2025-66301 Grav ihas Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions CWE-285 4.3AIMediumAI2025-12-01
CVE-2025-66300 Grav is vulnerable to Arbitrary File Read CWE-22 8.5 High2025-12-01
CVE-2025-66299 Security Sandbox Bypass with SSTI (Server Side Template Injection) in the Grav CMS CWE-94 8.8 High2025-12-01
CVE-2025-66298 Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms CWE-1336 5.3AIMediumAI2025-12-01
CVE-2025-66297 Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection CWE-1336 7.2AIHighAI2025-12-01
CVE-2025-66296 Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover CWE-266 8.8 High2025-12-01
CVE-2025-66294 Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass CWE-94 7.2AIHighAI2025-12-01
CVE-2025-66295 Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption CWE-22 8.8 High2025-12-01

All 44 known CVE vulnerabilities affecting grav with full Chinese analysis, references, and POCs where available.