Getgrav Grav vulnerabilities
73 known vulnerabilities affecting getgrav/grav.
Total CVEs
73
CISA KEV
0
Public exploits
7
Exploited in wild
0
Severity breakdown
CRITICAL8HIGH31MEDIUM34
Vulnerabilities
Page 4 of 4
CVE-2022-0268P4MEDIUMCVSS 5.4fixed in 1.7.282022-01-25
CVE-2022-0268 [MEDIUM] CWE-79 CVE-2022-0268: Cross-site Scripting (XSS) - Stored in Packagist getgrav/grav prior to 1.7.28.
Cross-site Scripting (XSS) - Stored in Packagist getgrav/grav prior to 1.7.28.
ghsanvdosv
CVE-2019-16126P4MEDIUM≥ 0, < 1.7.0-beta.82019-11-08
CVE-2019-16126 [MEDIUM] CWE-79 Cross-site Scripting in Grav
Cross-site Scripting in Grav
Grav through 1.6.15 allows (Stored) Cross-Site Scripting due to JavaScript execution in SVG images.
ghsaosv
CVE-2025-66303P4MEDIUMCVSS 4.9fixed in 1.8.0v1.8.0+1 more2025-12-01
CVE-2025-66303 [MEDIUM] CWE-400 CVE-2025-66303: Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A Denial of Service (DoS) vulnerability h
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A Denial of Service (DoS) vulnerability has been identified in Grav related to the handling of scheduled_at parameters. Specifically, the application fails to properly sanitize input for cron expressions. By manipulating the scheduled_at parameter with a malicious input, such as a single quo
ghsanvdosv
CVE-2026-42841P4MEDIUMCVSS 4.8≤ 1.8.0v2.0.0+1 more2026-05-11
CVE-2026-42841 [MEDIUM] CWE-79 CVE-2026-42841: Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing pe
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image query parameters being converted into callable media actions. The public a
ghsanvd
CVE-2023-31506P4MEDIUMCVSS 5.4≤ 1.7.442024-02-09
CVE-2023-31506 [MEDIUM] CWE-79 CVE-2023-31506: A cross-site scripting (XSS) vulnerability in Grav versions 1.7.44 and before, allows remote authent
A cross-site scripting (XSS) vulnerability in Grav versions 1.7.44 and before, allows remote authenticated attackers to execute arbitrary web scripts or HTML via the onmouseover attribute of an ISINDEX element.
nvd
CVE-2025-63593P4MEDIUMCVSS 6.1v1.7.49.52025-11-03
CVE-2025-63593 [MEDIUM] CWE-79 CVE-2025-63593: Grav CMS1.7.49.5 is vulnerable to Cross Site Scripting (XSS).
Grav CMS1.7.49.5 is vulnerable to Cross Site Scripting (XSS).
nvd
CVE-2022-1173P4MEDIUMCVSS 5.4fixed in 1.7.332022-04-26
CVE-2022-1173 [MEDIUM] CWE-79 CVE-2022-1173: stored xss in GitHub repository getgrav/grav prior to 1.7.33.
stored xss in GitHub repository getgrav/grav prior to 1.7.33.
ghsanvdosv
CVE-2021-3904P4MEDIUMCVSS 5.4fixed in 1.7.242021-10-27
CVE-2021-3904 [MEDIUM] CWE-79 CVE-2021-3904: grav is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scrip
grav is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ghsanvdosv
CVE-2025-66305P4MEDIUMCVSS 4.9≥ 1.7.48, < 1.8.0v1.8.0+1 more2025-12-01
CVE-2025-66305 [MEDIUM] CWE-248 CVE-2025-66305: Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Denial of Service (DoS) vulnerability w
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Denial of Service (DoS) vulnerability was identified in the "Languages" submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input. If a malformed value is inserted—such as a single forward slash (/) or
ghsanvdosv
CVE-2024-35498P4MEDIUMCVSS 6.1v1.7.452025-01-06
CVE-2024-35498 [MEDIUM] CWE-79 CVE-2024-35498: A cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web
A cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
ghsanvdosv
CVE-2022-0743P4MEDIUMCVSS 4.6fixed in 1.7.312022-02-28
CVE-2022-0743 [MEDIUM] CWE-79 CVE-2022-0743: Cross-site Scripting (XSS) - Stored in GitHub repository getgrav/grav prior to 1.7.31.
Cross-site Scripting (XSS) - Stored in GitHub repository getgrav/grav prior to 1.7.31.
ghsanvdosv
CVE-2026-55890MEDIUMCVSS 4.8≥ 0, < 2.0.0-rc.92026-06-18
CVE-2026-55890 [MEDIUM] CWE-79 Grav: Stored CSS injection via Markdown image ?style=… reaches MediaObjectTrait::style() — incomplete patch of GHSA-r7fx-8g49-7hhr
Grav: Stored CSS injection via Markdown image ?style=… reaches MediaObjectTrait::style() — incomplete patch of GHSA-r7fx-8g49-7hhr
## Summary
The fix for **GHSA-r7fx-8g49-7hhr / CVE-2026-42841** (Stored XSS via Markdown media `attribute()` action) is incomplete. The maintainer patched `MediaObjectTrait::attribute()` to deny dangerous
ghsa
CVE-2026-55885MEDIUM≥ 0, < 1.7.532026-06-18
CVE-2026-55885 [MEDIUM] CWE-312 Grav: Admin Backup Zip File Exposes Account Credentials and Configuration Secrets
Grav: Admin Backup Zip File Exposes Account Credentials and Configuration Secrets
### Summary
An authenticated administrator with backup permissions can download a ZIP archive containing the full Grav installation root, including `user/accounts/admin.yaml` with the admin's bcrypt password hash and email, plus `user/config/` with all site configuration. The download endpoint requires
ghsa
← Previous4 / 4