Vulners
Lucene search
CVE-2021-29440
🗓️ 13 Apr 2021 19:55:13Reported by GitHub_MType 
cve🔗 web.nvd.nist.gov📰️ 8 Media mentions👁 187 Views🌐 WEB
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | Grav CMS 1.7.10 - Server-Side Template Injection (SSTI) (Authenticated) Exploit | 7 Jun 202100:00 | – | zdt |
 | CVE-2021-29440 | 3 Jun 202111:03 | – | circl |
 | Grav 代码注入漏洞 | 13 Apr 202100:00 | – | cnnvd |
 | Grav Code Injection Vulnerability | 6 May 202100:00 | – | cnvd |
 | Grav CMS Command Injection (CVE-2021-29440) | 24 Jun 202100:00 | – | checkpoint_advisories |
 | CVE-2021-29440 Twig allowing dangerous PHP functions by default | 13 Apr 202119:55 | – | cvelist |
 | Exploit for Code Injection in Getgrav Grav | 6 Jun 202100:51 | – | githubexploit |
 | Grav CMS 1.7.10 - Server-Side Template Injection (SSTI) (Authenticated) | 7 Jun 202100:00 | – | exploitdb |
 | Grav's Twig processing allowing dangerous PHP functions by default | 16 Apr 202119:53 | – | github |
 | CVE-2021-29440 | 13 Apr 202120:15 | – | nvd |
10
[
{
"product": "grav",
"vendor": "getgrav",
"versions": [
{
"status": "affected",
"version": "< 1.7.11"
}
]
}
]| Parameter | Position | Path | Description | CWE |
|---|---|---|---|---|
| data[username] | request body | /admin | Authenticated attacker can perform server-side template injection via Grav CMS admin login flow to reach RCE in Twig processing. | CWE-94 |
| data[password] | request body | /admin | Authenticated attacker can perform server-side template injection via Grav CMS admin login flow to reach RCE in Twig processing. | CWE-94 |
| login-nonce | request body | /admin | Authenticated attacker can perform server-side template injection via Grav CMS admin login flow to reach RCE in Twig processing. | CWE-94 |
| data[content] | request body | /admin/pages/{project_name}/:add | Page creation form accepts Twig payload in data[content], enabling SSTI leading to code execution. | CWE-94 |
| data[header][title] | request body | /admin/pages/{project_name}/:add | Page creation form accepts Twig payload in data[content], enabling SSTI leading to code execution. | CWE-94 |
| __form-name__ | request body | /admin/pages/{project_name}/:add | Page creation form accepts Twig payload in data[content], enabling SSTI leading to code execution. | CWE-94 |
| __unique_form_id__ | request body | /admin/pages/{project_name}/:add | Page creation form accepts Twig payload in data[content], enabling SSTI leading to code execution. | CWE-94 |
| form-nonce | request body | /admin/pages/{project_name}/:add | Page creation form accepts Twig payload in data[content], enabling SSTI leading to code execution. | CWE-94 |
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Jun 2026 03:47Current
7.5High risk
Vulners AI Score7.5
CVSS 26.5
CVSS 3.17.2 - 8.4
EPSS0.30623