Lucene search
K

7 matches found

CVE
CVE
added 2026/05/11 3:3 p.m.13 views

CVE-2026-42609

Grav CVE-2026-42609 describes a business-logic flaw in the Grav Admin Panel where a low-privileged user with admin user-creation permissions can overwrite a higher-privilege account by creating a new user with an existing username. The system incorrectly updates the existing account’s metadata an...

8.1CVSS5.8AI score0.00463EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/08 12:0 a.m.12 views

PT-2026-39296

Name of the Vulnerable Software and Affected Versions grav-plugin-admin versions prior to 1.10.49.5 Description The application fails to properly validate and sanitize user input in the dataheadertitle parameter. This allows attackers to craft a malicious URL containing a Cross-Site Scripting XSS...

6.2CVSS5.8AI score0.00256EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/05/05 9:29 p.m.8 views

Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic

Summary A business logic vulnerability in the Grav Admin Panel allows a low-privileged user with only user creation permissions to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account'...

8.1CVSS5.8AI score0.00463EPSS
Exploits1References6Affected Software1
OSV
OSV
added 2026/05/05 9:29 p.m.5 views

GHSA-RR73-568V-28F8 Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic

Summary A business logic vulnerability in the Grav Admin Panel allows a low-privileged user with only user creation permissions to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account'...

8.1CVSS5.8AI score0.00463EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2026/05/05 12:0 a.m.12 views

PT-2026-37275

Name of the Vulnerable Software and Affected Versions Grav versions prior to 2.0.0-beta.2 Description A business logic issue in the Grav Admin Panel allows a low-privileged user with user creation permissions to overwrite existing accounts, including the primary administrator. By creating a new...

8.1CVSS5.8AI score0.00463EPSS
Exploits1References12
Snyk
Snyk
added 2025/12/01 11:4 p.m.2 views

Information Exposure

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Information Exposure in the user account management section of the admin panel. An attacker can obtain password hashes of all users, including...

7.5CVSS7AI score0.00359EPSS
Exploits1References2
CVE
CVE
added 2025/12/01 9:46 p.m.10 views

CVE-2025-66306

CVE-2025-66306 describes an Insecure Direct Object Reference (IDOR) in Grav CMS Admin Panel prior to 1.8.0-beta.27. The vulnerability allows low-privilege authenticated users to access information from other accounts via endpoints such as /admin/accounts/users/{username}, potentially exposing adm...

6.5CVSS6.1AI score0.00258EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder