Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

getgrav — Vulnerabilities & Security Advisories 61

Browse all 61 CVE security advisories affecting getgrav. AI-powered Chinese analysis, POCs, and references for each vulnerability.

GetGrav is a flat-file CMS designed for developers seeking a modern, flexible alternative to database-driven platforms. Its architecture eliminates traditional SQL dependencies, relying instead on YAML configuration and Markdown content. However, this design has historically exposed the platform to significant security risks, resulting in forty-seven recorded CVEs. Common vulnerability classes include Remote Code Execution (RCE), Cross-Site Scripting (XSS), and privilege escalation flaws, often stemming from inadequate input validation or insecure file handling mechanisms. Notable incidents have highlighted weaknesses in plugin ecosystems and core update processes, allowing attackers to execute arbitrary code or bypass authentication. While the flat-file structure offers performance benefits, it has also introduced unique attack vectors related to file permissions and serialization. Users must prioritize rigorous plugin auditing and timely patching to mitigate these persistent threats inherent in the system’s evolving codebase.

Found 44 results / 61Clear Filters
Top products by getgrav: grav getgrav/grav grav-plugin-admin getgrav/grav-plugin-admin GravCMS Grav CMS Admin Plugin grav-plugin-api grav-plugin-form
CVE IDTitleCVSSSeverityPublished
CVE-2026-42844 Grav: Low-privileged API users can create super-admin accounts via blueprint-upload — gravCWE-434--2026-05-12
CVE-2026-44738 Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray() — gravCWE-200 7.7 High2026-05-11
CVE-2026-42842 grav-plugin-form: XSS via Taxonomy Field Values in Admin Panel — gravCWE-79 5.4 Medium2026-05-11
CVE-2026-42613 Grav: Privilege Escalation via Missing Server-Side Validation of groups/access — gravCWE-20 9.4 Critical2026-05-11
CVE-2026-42612 Grav: Publisher-Level Stored XSS via Unquoted Event Attributes — gravCWE-79 8.5 High2026-05-11
CVE-2026-42611 Grav: Stored XSS via Tag Injection — gravCWE-79 8.9 High2026-05-11
CVE-2026-42610 Grav: Sensitive Information Disclosure via Accounts Service Bypass — gravCWE-863 6.5 Medium2026-05-11
CVE-2026-42609 Grav: Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic — gravCWE-269 8.1 High2026-05-11
CVE-2026-42608 Grav: Unauthenticated Path Traversal & Arbitrary File Write in FormFlash component. — gravCWE-22--2026-05-11
CVE-2026-42607 Grav: Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature — gravCWE-94 9.1 Critical2026-05-11
CVE-2026-42841 Grav: Stored XSS via Markdown media attribute() action in Grav CMS — gravCWE-79--2026-05-11
CVE-2025-66312 Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]` — gravCWE-79 5.4AIMediumAI2025-12-01
CVE-2025-66311 Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters — gravCWE-79 5.4AIMediumAI2025-12-01
CVE-2025-66310 Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced Tab — gravCWE-79 5.4AIMediumAI2025-12-01
CVE-2025-66309 Grav vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab — gravCWE-79 6.1AIMediumAI2025-12-01
CVE-2025-66308 Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]` — gravCWE-79 5.4AIMediumAI2025-12-01
CVE-2025-66307 Grav Admin Plugin vulnerable to User Enumeration & Email Disclosure — gravCWE-204 6.5 Medium2025-12-01
CVE-2025-66306 Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel — gravCWE-639 4.3 Medium2025-12-01
CVE-2025-66305 Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter — gravCWE-248 4.9AIMediumAI2025-12-01
CVE-2025-66304 Grav Exposes Password Hashes Leading to privilege escalation — gravCWE-200 6.2 Medium2025-12-01
CVE-2025-66303 Grav is vulnerable to a DOS on the admin panel — gravCWE-400 4.9 Medium2025-12-01
CVE-2025-66302 Grav vulnerable to Path Traversal allowing server files backup — gravCWE-22 6.8 Medium2025-12-01
CVE-2025-66301 Grav ihas Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions — gravCWE-285 4.3AIMediumAI2025-12-01
CVE-2025-66300 Grav is vulnerable to Arbitrary File Read — gravCWE-22 8.5 High2025-12-01
CVE-2025-66299 Security Sandbox Bypass with SSTI (Server Side Template Injection) in the Grav CMS — gravCWE-94 8.8 High2025-12-01
CVE-2025-66298 Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms — gravCWE-1336 5.3AIMediumAI2025-12-01
CVE-2025-66297 Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection — gravCWE-1336 7.2AIHighAI2025-12-01
CVE-2025-66296 Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover — gravCWE-266 8.8 High2025-12-01
CVE-2025-66294 Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass — gravCWE-94 7.2AIHighAI2025-12-01
CVE-2025-66295 Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption — gravCWE-22 8.8 High2025-12-01

This page lists every published CVE security advisory associated with getgrav. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.