CVE-2026-42844

Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges. This results in full...

CVE-2026-42610

Grav CMS vulnerability CVE-2026-42610: A low-privilege user can bypass Twig sandbox via grav['accounts'] to load administrative user objects and extract sensitive data (e.g., bcrypt password hashes and the security salt). This information disclosure affects Grav before 2.0.0-beta.2. The issue is ...

CVE-2026-42609 Grav: Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user with only user creation permissions to overwrite existing accounts, including the primary administrator. By creating a new user with a username that alread...

PT-2026-39647

Name of the Vulnerable Software and Affected Versions Grav versions prior to 2.0.0-rc.2 Description The Twig sandbox allow-list permits any user with the admin.pages role to call the config.toArray function from within a page body. This action dumps the entire merged site configuration into the...

PT-2026-38282

Name of the Vulnerable Software and Affected Versions Grav version 2.0.0-beta.2 Description A low-privileged authenticated API user with api.media.write permissions can achieve full administrative compromise of the Grav API. The issue exists in the API plugin's blueprint upload flow because the...

Grav is Vulnerable to Stored XSS via Tag Injection

Summary A low-privileged with the ability to create a page user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits the page; which can further be chained with the...

GHSA-W8CG-7JCJ-4VV2 Grav is Vulnerable to Stored XSS via Tag Injection

Summary A low-privileged with the ability to create a page user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits the page; which can further be chained with the...

Grav is Vulnerable to XXE via SVG Upload

Dear Grav Security Team, A security vulnerability was discovered in Grav CMS that allows authenticated attackers to read arbitrary files from the server through XML External Entity XXE injection. Vulnerability Summary | Field | Details | |-------|---------| | Vulnerability Type | XML External...

XML External Entity (XXE) Injection

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to XML External Entity XXE Injection in the simplexmlloadstring process when handling uploaded SVG files. An attacker can access sensitive files...

Directory Traversal

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Directory Traversal via the FormFlash process when the sessionid parameter mapped to form-flash-id in POST requests is not properly sanitized...

GHSA-9695-8FR9-HW5Q Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes

Summary A stored Cross-Site Scripting XSS vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss function when handling unquoted HTML event attributes. Details The detectXss function relies on a...

Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes

Summary A stored Cross-Site Scripting XSS vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss function when handling unquoted HTML event attributes. Details The detectXss function relies on a...

Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass

Summary Information disclosure exists in Grav CMS v1.8.0-beta.29. Despite previous security patches notably in v1.8.0-beta.27/28 aimed at restricting sensitive object access within the Twig environment, the Accounts Service remains exposed. A low-privileged user EX: Content Editor with only...

GHSA-W48R-JPPP-RCFW Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature

Summary An authenticated user with administrative privileges can achieve Remote Code Execution RCE by uploading a specially crafted ZIP file through the "Direct Install" tool. While the system attempts to block direct .php file uploads, it fails to inspect the contents of uploaded ZIP archives...

CVE-2026-44737

creationtimestamp| type| source ---|---|--- 2026-05-05 10:55:40+00:00| published-proof-of-concept| https://github.com/getgrav/grav/security/advisories/GHSA-fmg2-f5r9-24qc...

CVE-2026-42845

creationtimestamp| type| source ---|---|--- 2026-04-29 17:56:54+00:00| published-proof-of-concept| https://github.com/getgrav/grav/security/advisories/GHSA-w4rc-p66m-x6qq...

CVE-2026-7317 Grav CMS Cache Value FileCache.php doGet deserialization

A vulnerability was found in Grav CMS up to 1.7.49.5/2.0.0-beta.1. Affected by this vulnerability is the function FileCache::doGet of the file system/src/Grav/Framework/Cache/Adapter/FileCache.php of the component Cache Value Handler. The manipulation results in deserialization. The attack may be...

CVE-2019-16126

Grav through 1.6.15 allows Stored Cross-Site Scripting due to JavaScript execution in SVG images...

GHSA-MH85-44C2-3M97 Grav is vulnerable to Stored XSS through authenticated user-edited content

grav before v1.7.49.5 has a Stored Cross-Site Scripting Stored XSS vulnerability in the page editing functionality. An authenticated low-privileged user with permission to edit content can inject malicious JavaScript payloads into editable fields. The payload is stored on the server and later...

Grav may be vulnerable to SSRF attack via Twig Templates

In grav 1.7.49.5, a SSRF Server-Side Request Forgery vector may be triggered via Twig templates when page content is processed by Twig and the configuration allows undefined PHP functions to be registered...