7 matches found
CVE-2026-42609
Grav CVE-2026-42609 describes a business-logic flaw in the Grav Admin Panel where a low-privileged user with admin user-creation permissions can overwrite a higher-privilege account by creating a new user with an existing username. The system incorrectly updates the existing account’s metadata an...
PT-2026-39296
Name of the Vulnerable Software and Affected Versions grav-plugin-admin versions prior to 1.10.49.5 Description The application fails to properly validate and sanitize user input in the dataheadertitle parameter. This allows attackers to craft a malicious URL containing a Cross-Site Scripting XSS...
Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic
Summary A business logic vulnerability in the Grav Admin Panel allows a low-privileged user with only user creation permissions to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account'...
GHSA-RR73-568V-28F8 Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic
Summary A business logic vulnerability in the Grav Admin Panel allows a low-privileged user with only user creation permissions to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account'...
PT-2026-37275
Name of the Vulnerable Software and Affected Versions Grav versions prior to 2.0.0-beta.2 Description A business logic issue in the Grav Admin Panel allows a low-privileged user with user creation permissions to overwrite existing accounts, including the primary administrator. By creating a new...
Information Exposure
Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Information Exposure in the user account management section of the admin panel. An attacker can obtain password hashes of all users, including...
CVE-2025-66306
CVE-2025-66306 describes an Insecure Direct Object Reference (IDOR) in Grav CMS Admin Panel prior to 1.8.0-beta.27. The vulnerability allows low-privilege authenticated users to access information from other accounts via endpoints such as /admin/accounts/users/{username}, potentially exposing adm...