Lucene search
+L

89 matches found

redhatcve
redhatcve
added 2025/12/02 10:31 p.m.9 views

CVE-2025-66310

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This...

6.2CVSS5.2AI score0.00182EPSS
Exploits1References1
redhatcve
redhatcve
added 2025/12/02 9:26 p.m.6 views

CVE-2025-66297

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute...

8.8CVSS8.2AI score0.00685EPSS
Exploits1References1
redhatcve
redhatcve
added 2025/12/02 9:26 p.m.12 views

CVE-2025-66300

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A low privilege user account with page editing privilege can read any server files using "Frontmatter" form. This includes Grav user account files /grav/user/accounts/.yaml, which store hashed user password, 2FA secret, and the password...

8.5CVSS6.8AI score0.00397EPSS
Exploits1References1
github
github
added 2025/12/02 1:24 a.m.10 views

Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced Tab

Summary A Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the dataheadertemplate parameter. The script is saved within the page's frontmatter and executed...

6.2CVSS5.1AI score0.00182EPSS
Exploits1References4Affected Software1
euvd
euvd
added 2025/12/02 1:24 a.m.5 views

EUVD-2025-200100

Grav vulnerable to Cross-Site Scripting XSS Stored endpoint /admin/pages/page parameter dataheadertemplate in Advanced Tab...

6.2CVSS5.4AI score0.00182EPSS
Exploits1References3
osv
osv
added 2025/12/02 1:24 a.m.5 views

GHSA-7G78-5G5G-MVFJ Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced Tab

Summary A Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the dataheadertemplate parameter. The script is saved within the page's frontmatter and executed...

6.2CVSS5AI score0.00182EPSS
Exploits1References4
github
github
added 2025/12/02 1:24 a.m.13 views

Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection

Summary A user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This...

8.8CVSS8.4AI score0.00685EPSS
Exploits1References4Affected Software1
euvd
euvd
added 2025/12/02 1:24 a.m.8 views

EUVD-2025-200078

Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection...

8.7CVSS7.1AI score0.00685EPSS
Exploits1References3
osv
osv
added 2025/12/02 1:24 a.m.7 views

GHSA-858Q-77WX-HHX6 Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection

Summary A user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This...

8.7CVSS8.3AI score0.00685EPSS
Exploits1References4
euvd
euvd
added 2025/12/02 12:37 a.m.10 views

EUVD-2025-200099

Grav vulnerable to Cross-Site Scripting XSS Stored endpoint /admin/pages/page in Multiples parameters...

6.2CVSS5.3AI score0.00182EPSS
Exploits1References3
github
github
added 2025/12/02 12:36 a.m.8 views

Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions

Summary Due to a broken access control vulnerability in the /admin/pages/pagename endpoint, an editor user with full permissions to pages can change the functionality of a form after submission. Details Due to improper authorization checks when modifying critical fields on a POST request to...

9.6CVSS6.8AI score0.01252EPSS
Exploits4References3Affected Software1
osv
osv
added 2025/12/02 12:36 a.m.5 views

GHSA-V8X2-FJV7-8HJH Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions

Summary Due to a broken access control vulnerability in the /admin/pages/pagename endpoint, an editor user with full permissions to pages can change the functionality of a form after submission. Details Due to improper authorization checks when modifying critical fields on a POST request to...

8.6CVSS6.8AI score0.01252EPSS
Exploits4References3
euvd
euvd
added 2025/12/02 12:36 a.m.7 views

EUVD-2025-200109

Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions...

8.6CVSS6.4AI score0.01252EPSS
Exploits4References2
github
github
added 2025/12/02 12:36 a.m.8 views

Grav is vulnerable to Arbitrary File Read

Summary - A low privilege user account with page editing privilege can read any server files using "Frontmatter" form. - This includes Grav user account files - /grav/user/accounts/.yaml. This file stores hashed user password, 2FA secret, and the password reset token. - This can allow an adversar...

8.5CVSS6.9AI score0.00397EPSS
Exploits1References4Affected Software1
osv
osv
added 2025/12/02 12:36 a.m.5 views

GHSA-P4WW-MCP9-J6F2 Grav is vulnerable to Arbitrary File Read

Summary - A low privilege user account with page editing privilege can read any server files using "Frontmatter" form. - This includes Grav user account files - /grav/user/accounts/.yaml. This file stores hashed user password, 2FA secret, and the password reset token. - This can allow an adversar...

8.5CVSS6.8AI score0.00397EPSS
Exploits1References4
nvd
nvd
added 2025/12/01 10:15 p.m.6 views

CVE-2025-66310

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This...

6.2CVSS0.00182EPSS
Exploits1References2
nvd
nvd
added 2025/12/01 10:15 p.m.10 views

CVE-2025-66311

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This...

6.2CVSS0.00182EPSS
Exploits1References2
nvd
nvd
added 2025/12/01 10:15 p.m.6 views

CVE-2025-66300

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A low privilege user account with page editing privilege can read any server files using "Frontmatter" form. This includes Grav user account files /grav/user/accounts/.yaml, which store hashed user password, 2FA secret, and the password...

8.5CVSS0.00397EPSS
Exploits1References2
nvd
nvd
added 2025/12/01 10:15 p.m.4 views

CVE-2025-66301

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/pagename, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through...

9.6CVSS0.01252EPSS
Exploits4References1
cvelist
cvelist
added 2025/12/01 10:5 p.m.16 views

CVE-2025-66311 Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This...

6.2CVSS0.00182EPSS
Exploits1References2
Rows per page
Query Builder