cbcvebase.

Getgrav Grav vulnerabilities

73 known vulnerabilities affecting getgrav/grav.

Total CVEs
73
CISA KEV
0
Public exploits
7
Exploited in wild
0
Severity breakdown
CRITICAL8HIGH31MEDIUM34

Vulnerabilities

Page 2 of 4
CVE-2025-66299P3HIGHCVSS 8.8fixed in 1.8.0v1.8.0+1 more2025-12-01
CVE-2025-66299 [HIGH] CWE-94 CVE-2025-66299: Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side T Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (SSTI) that allows any authenticated user with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox. Since the security sandbox does not fully protect the Twig object, it is possible
ghsanvdosv
CVE-2023-37897P3HIGHCVSS 8.8v1.7.42v1.7.42.1+1 more2023-07-18
CVE-2023-37897 [HIGH] CWE-74 CVE-2023-37897: Grav is a file-based Web-platform built in PHP. Grav is subject to a server side template injection Grav is a file-based Web-platform built in PHP. Grav is subject to a server side template injection (SSTI) vulnerability. The fix for another SSTI vulnerability using `|map`, `|filter` and `|reduce` twigs implemented in the commit `71bbed1` introduces bypass of the denylist due to incorrect return value from `isDangerousFunction()`, which allows to exec
ghsanvdosv
CVE-2025-66295P3HIGHCVSS 8.8≥ 1.7.49.5, < 1.8.0v1.8.0+1 more2025-12-01
CVE-2025-66295 [HIGH] CWE-22 CVE-2025-66295: Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creati Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\Nijat or ../Nijat), Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain accoun
ghsanvdosv
CVE-2018-5233P3MEDIUMPoC≥ 0, < 1.3.02022-05-14
CVE-2018-5233 [MEDIUM] CWE-79 Grav CMS Cross-site scripting (XSS) vulnerability Grav CMS Cross-site scripting (XSS) vulnerability Cross-site scripting (XSS) vulnerability in `system/src/Grav/Common/Twig/Twig.php` in Grav CMS before 1.3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/tools.
ghsaosv
CVE-2023-34448P3HIGHCVSS 7.2fixed in 1.7.422023-06-14
CVE-2023-34448 [HIGH] CVE-2023-34448: Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig's Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code
ghsanvdosv
CVE-2020-29555P3HIGH≥ 1.7.0-beta.1, ≤ 1.7.0-rc.17≥ 0, < 1.6.302022-05-24
CVE-2020-29555 [HIGH] CWE-22 Grav CMS Arbitrary File Deletion Grav CMS Arbitrary File Deletion The BackupDelete functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to delete arbitrary files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)
ghsaosv
CVE-2026-42609P3HIGHCVSS 8.1≤ 1.8.0v2.0.0+1 more2026-05-11
CVE-2026-42609 [HIGH] CWE-269 CVE-2026-42609: Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account's me
ghsanvd
CVE-2022-2073P3HIGHCVSS 7.2fixed in 1.7.34fixed in 1.7.422022-06-29
CVE-2022-2073 [HIGH] CWE-94 CVE-2022-2073: Code Injection in GitHub repository getgrav/grav prior to 1.7.34. Code Injection in GitHub repository getgrav/grav prior to 1.7.34.
ghsanvdosv
CVE-2023-34253P3HIGHCVSS 7.2fixed in 1.7.422023-06-14
CVE-2023-34253 [HIGH] CWE-184 CVE-2023-34253: Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in c Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names,
ghsanvdosv
CVE-2023-34252P3HIGHCVSS 7.2fixed in 1.7.422023-06-14
CVE-2023-34252 [HIGH] CWE-184 CVE-2023-34252: Grav is a flat-file content management system. Prior to version 1.7.42, there is a logic flaw in the Grav is a flat-file content management system. Prior to version 1.7.42, there is a logic flaw in the `GravExtension.filterFilter()` function whereby validation against a denylist of unsafe functions is only performed when the argument passed to filter is a string. However, passing an array as a callable argument allows the validation check to be skipp
ghsanvdosv
CVE-2026-44738P3HIGHCVSS 7.7fixed in 2.0.0v2.0.0+1 more2026-05-11
CVE-2026-44738 [HIGH] CWE-200 CVE-2026-44738: Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray() from within a page body, dumping the entire merged site configuration — including all plugin secrets (SMTP passwords, AWS keys, OAuth client secrets, API tokens) — into the rendered HTML. No administra
ghsanvd
CVE-2026-29924P3HIGHCVSS 7.6fixed in 1.8.02026-03-30
CVE-2026-29924 [HIGH] CWE-611 CVE-2026-29924: Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload fu Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload functionality in the admin panel and File Manager plugin.
nvd
CVE-2025-66844P3CRITICALCVSS 9.1fixed in 1.7.49.52025-12-15
CVE-2025-66844 [CRITICAL] CWE-918 CVE-2025-66844: In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates w In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig and the configuration allows undefined PHP functions to be registered
ghsanvdosv
CVE-2023-34251P3HIGHCVSS 7.2fixed in 1.7.422023-06-14
CVE-2023-34251 [HIGH] CWE-94 CVE-2023-34251: Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server sid Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue.
ghsanvdosv
CVE-2025-46199P3CRITICALCVSS 9.8≤ 1.7.482025-07-25
CVE-2025-46199 [CRITICAL] CWE-79 CVE-2025-46199: Cross Site Scripting vulnerability in grav v.1.7.48 and before allows an attacker to execute arbitra Cross Site Scripting vulnerability in grav v.1.7.48 and before allows an attacker to execute arbitrary code via a crafted script to the form fields
nvd
CVE-2025-66304P3HIGHCVSS 7.2≥ 1.7.46, < 1.8.0v1.8.0+1 more2025-12-01
CVE-2025-66304 [HIGH] CWE-200 CVE-2025-66304: Grav is a file-based Web platform. Prior to 1.8.0-beta.27, users with read access on the user accoun Grav is a file-based Web platform. Prior to 1.8.0-beta.27, users with read access on the user account management section of the admin panel can view the password hashes of all users, including the admin user. This exposure can potentially lead to privilege escalation if an attacker can crack these password hashes. This vulnerability is fixed in 1.8.0-
ghsanvdosv
CVE-2021-3924P3HIGHCVSS 7.5≤ 1.7.242021-11-05
CVE-2021-3924 [HIGH] CWE-22 CVE-2021-3924: grav is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') grav is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ghsanvdosv
CVE-2025-66298P3HIGHCVSS 7.5fixed in 1.8.0v1.8.0+1 more2025-12-01
CVE-2025-66298 [HIGH] CWE-1336 CVE-2025-66298: Grav is a file-based Web platform. Prior to 1.8.0-beta.27, having a simple form on site can reveal t Grav is a file-based Web platform. Prior to 1.8.0-beta.27, having a simple form on site can reveal the whole Grav configuration details (including plugin configuration details) by using the correct POST payload to exploit a Server-Side Template (SST) vulnerability. Sensitive information may be contained in the configuration details. This vulnerabilit
ghsanvdosv
CVE-2026-42611P3HIGHCVSS 8.9≤ 1.8.0v2.0.0+1 more2026-05-11
CVE-2026-42611 [HIGH] CWE-79 CVE-2026-42611: Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to crea Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits the page; which can further be chained with the use o
ghsanvd
CVE-2025-66302P3MEDIUMCVSS 6.8fixed in 1.8.0v1.8.0+1 more2025-12-01
CVE-2025-66302 [MEDIUM] CWE-22 CVE-2025-66302: Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A path traversal vulnerability has been i Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A path traversal vulnerability has been identified in Grav CMS, allowing authenticated attackers with administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due to insufficient input sanitization in the backup tool, where user-supplied
ghsanvdosv
Getgrav Grav vulnerabilities | cvebase