Grav CMS <1.3.0 - Cross-Site Scripting

Grav CMS before 1.3.0 is vulnerable to cross-site scripting via system/src/Grav/Common/Twig/Twig.php and allows remote attackers to inject arbitrary web script or HTML via the PATHINFO to admin/tools. id: CVE-2018-5233 info: name: Grav CMS 1.3.0 - Cross-Site Scripting author: pikpikcu severity:...

Cross-site Scripting (XSS)

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the dataheadertitle parameter in the admin panel. An attacker can execute arbitrary JavaScript code in the contex...

Deserialization of Untrusted Data

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the FileCache::doGet process. An attacker can execute arbitrary code by tampering with cache files to...

PT-2026-37278

Name of the Vulnerable Software and Affected Versions Grav versions prior to 2.0.0-beta.2 Description A stored Cross-Site Scripting XSS issue allows publisher-level accounts to execute arbitrary JavaScript. The problem is caused by a blacklist bypass in the detectXss function, which fails to...

Exploit for Unrestricted Upload of File with Dangerous Type in Getgrav Grav

No d...

CVE-2022-0970

Cross-site Scripting XSS - Stored in GitHub repository getgrav/grav prior to 1.7.31...

Authorization Bypass Through User-Controlled Key

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the /admin/accounts/users/username endpoint. An attacker can obtain sensitive information...

EUVD-2022-1527

Malicious code in bioql PyPI...

EUVD-2022-0492

Malicious code in bioql PyPI...

EUVD-2022-1608

Malicious code in bioql PyPI...

EUVD-2022-1273

Malicious code in bioql PyPI...

EUVD-2022-6030

Malicious code in bioql PyPI...

CVE-2022-1173

stored xss in GitHub repository getgrav/grav prior to 1.7.33...

CVE-2022-2073

Code Injection in GitHub repository getgrav/grav prior to 1.7.34...

Exploit for Improper Access Control in Getgrav Grav-Plugin-Admin

Exploit for: GravCMS 1.10.7 - Arbitrary YAML Write/...

Arbitrary Code Execution

getgrav/grav is vulnerable to Arbitrary Code Execution. This vulnerability is due to improper validation of accessible functions through the Utils::isDangerousFunction and the lack of restrictions on twig functions like twigarraymap, allowing attackers to bypass the validation and execute arbitra...

Code Injection

getgrav/grav is vulnerable to Code Injection. The vulnerability is due to unrestricted access to the twig extension class from the Grav context within twig.php, which allows attackers to redefine the escape function and execute arbitrary commands...

Insufficient Permission Validation

getgrav/grav is vulnerable to Insufficient Permission Validation. The vulnerability is due to enabling regular users with page creation privileges to access the Frontmatter feature when the datajsonheaderform parameter is included in the POST body while creating a page. The vulnerability is also...

Server-Side Template Injection

getgrav/grav is vulnerable to Server-Side Template Injection. The vulnerability exists because it does not properly validate the denylist, which allows an attacker to execute a template injection payload by inserting a double backslash in the $name parameter...

Server-side Template Injection(SSTI)

getgrav/grav is vulnerable to Server-side Template InjectionSSTI. Malicious PHP code can be executed remotely by an authenticated attacker with page editing privileges resulting in remote code execution...