CVE-2026-42607

CVE-2026-42607 (Grav) : An authenticated admin can achieve Remote Code Execution by uploading a malicious ZIP via the Direct Install tool. The ZIP contents are not inspected before extraction, allowing arbitrary PHP execution or dropping a web shell. This affects Grav’s Admin plugin and the Grav ...

PT-2026-37279

Name of the Vulnerable Software and Affected Versions Grav version 1.8.0-beta.29 Login Plugin versions prior to 3.8.2 Description A missing server-side validation issue exists in the Login::register function of the Login plugin. When user registration is enabled and the groups or access fields ar...

EUVD-2026-26154

A vulnerability was found in Grav CMS up to 1.7.49.5/2.0.0-beta.1. Affected by this vulnerability is the function FileCache::doGet of the file system/src/Grav/Framework/Cache/Adapter/FileCache.php of the component Cache Value Handler. The manipulation results in deserialization. The attack may be...

PT-2026-35830

A vulnerability was found in Grav CMS up to 1.7.49.5/2.0.0-beta.1. Affected by this vulnerability is the function FileCache::doGet of the file system/src/Grav/Framework/Cache/Adapter/FileCache.php of the component Cache Value Handler. The manipulation results in deserialization. The attack may be...

CVE-2025-66844

In grav 1.7.49.5, a SSRF Server-Side Request Forgery vector may be triggered via Twig templates when page content is processed by Twig and the configuration allows undefined PHP functions to be registered...

CVE-2025-63593

Grav CMS1.7.49.5 is vulnerable to Cross Site Scripting XSS...

CVE-2025-63593

Grav CMS1.7.49.5 is vulnerable to Cross Site Scripting XSS...

CVE-2025-63593

Grav CMS 1.7.49.5 is reported as vulnerable to Cross-Site Scripting (XSS). The CNVD/Red Hat/NVD entries describe an XSS that arises from insufficient filtering/escaping of user-supplied data, enabling execution of arbitrary scripts in a user’s browser. The XSS affects Grav’s input handling and is...

EUVD-2022-6030

Malicious code in bioql PyPI...

CVE-2025-46198

Cross Site Scripting vulnerability in grav v.1.7.48, v.1.7.47 and v.1.7.46 allows an attacker to execute arbitrary code via the onerror attribute of the img element...

CVE-2025-46198

Cross Site Scripting vulnerability in grav v.1.7.48, v.1.7.47 and v.1.7.46 allows an attacker to execute arbitrary code via the onerror attribute of the img element...

CVE-2024-35498

A cross-site scripting XSS vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload...

CVE-2024-35498

A cross-site scripting XSS vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload...

CVE-2023-34448 Grav Server-side Template Injection (SSTI) via Twig Default Filters

Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default filter function, did not block other built-in functions exposed by Twig's Core Extension that could be used to invoke...