Getgrav Grav
44 CVEs affecting Getgrav Grav. Latest disclosed: 2026-05-12. Critical: 4, High: 21.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2023-34251 | Critical | 10.0 | 2023-06-14 | Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by… |
CVE-2026-42613 | Critical | 9.4 | 2026-05-11 | Grav is a file-based Web platform. Prior to 2.0.0-beta.2, the Login::register() method in the Login plugin accepts attacker-controlled groups and access fields… |
CVE-2026-42608 | Critical | 9.1 | 2026-05-11 | Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core component. By manipulating the sess… |
CVE-2026-42607 | Critical | 9.1 | 2026-05-11 | Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploa… |
CVE-2026-42611 | High | 8.9 | 2026-05-11 | Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the injection of svg ele… |
CVE-2026-42844 | High | 8.8 | 2026-05-12 | Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to wri… |
CVE-2025-66299 | High | 8.8 | 2025-12-01 | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (SSTI) that allows any authenticated user… |
CVE-2025-66296 | High | 8.8 | 2025-12-01 | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a privilege escalation vulnerability exists in Grav’s Admin plugin due to the absence of username un… |
CVE-2025-66295 | High | 8.8 | 2025-12-01 | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin UI and supplies a u… |
CVE-2024-28119 | High | 8.8 | 2024-03-21 | Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from grav context… |
CVE-2024-28118 | High | 8.8 | 2024-03-21 | Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from Grav context… |
CVE-2024-28117 | High | 8.8 | 2024-03-21 | Grav is an open-source, flat-file content management system. Prior to version 1.7.45, Grav validates accessible functions through the Utils::isDangerousFunctio… |
CVE-2024-28116 | High | 8.8 | 2024-03-21 | Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which a… |
CVE-2024-27921 | High | 8.8 | 2024-03-21 | Grav is an open-source, flat-file content management system. A file upload path traversal vulnerability has been identified in the application prior to version… |
CVE-2024-27923 | High | 8.8 | 2024-03-06 | Grav is a content management system (CMS). Prior to version 1.7.43, users who may write a page may use the `frontmatter` feature due to insufficient permission… |
CVE-2023-34448 | High | 8.8 | 2023-06-14 | Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav lev… |
CVE-2023-34253 | High | 8.8 | 2023-06-14 | Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being exec… |
CVE-2023-34252 | High | 8.8 | 2023-06-14 | Grav is a flat-file content management system. Prior to version 1.7.42, there is a logic flaw in the `GravExtension.filterFilter()` function whereby validation… |
CVE-2026-42612 | High | 8.5 | 2026-05-11 | Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a stored Cross-Site Scripting (XSS) vulnerability in getgrav/grav allows publisher-level accounts to… |
CVE-2025-66300 | High | 8.5 | 2025-12-01 | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A low privilege user account with page editing privilege can read any server files using "Frontmatte… |