CRITICAL9.4CVE-2026-42613Grav Vulnerable to Privilege Escalation via Missing Server-Side Validation of groups/access from 0, < 2.0.0-beta.2
CRITICAL9.1CVE-2026-42607Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature from 0, < 2.0.0-beta.2
CRITICAL9.1CVE-2025-66844Grav may be vulnerable to SSRF attack via Twig Templates from 0, <= 1.7.49.5
CRITICAL9.1Grav Server Side Template Injection (SSTI) vulnerability
from 0, < 1.7.42
HIGH8.9Grav is Vulnerable to Stored XSS via Tag Injection
from 0, < 2.0.0-beta.2
HIGH8.8Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption
from 0, < 1.8.0-beta.27
HIGH8.8Grav is Vulnerable to Security Sandbox Bypass with SSTI (Server Side Template Injection)
from 0, < 1.8.0-beta.27
HIGH8.8Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover
from 0, < 1.8.0-beta.27
HIGH8.8Server Side Template Injection (SSTI) via Twig escape handler
from 0, < 1.7.45
HIGH8.8Server Side Template Injection (SSTI)
from 0, < 1.7.45
HIGH8.8Server Side Template Injection (SSTI)
from 0, < 1.7.45
HIGH8.8Server-Side Template Injection (SSTI) with Grav CMS security sandbox bypass
from 0, < 1.7.45
HIGH8.8Grav File Upload Path Traversal
from 0, < 1.7.45
HIGH8.8Remote Code Execution by uploading a phar file using frontmatter
from 0, < 1.7.43
HIGH8.8Grav CMS Cross-Site Request Forgery (CSRF)
>= 1.7.0-beta.1, <= 1.7.0-rc.17
HIGH8.8Path traversal in grav
from 0, <= 1.7.24
HIGH8.5Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes
from 0, < 2.0.0-beta.2
HIGH8.5Grav is vulnerable to Arbitrary File Read
from 0, < 1.8.0-beta.27
HIGH8.5Grav Vulnerable to Arbitrary File Read to Account Takeover
from 0, < 1.7.46
HIGH8.4Grav's Twig processing allowing dangerous PHP functions by default
from 0, < 1.7.11
HIGH8.1Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic
from 0, < 2.0.0-beta.2
HIGH8.1Grav CMS Arbitrary File Deletion
>= 1.7.0-beta.1, <= 1.7.0-rc.17
HIGH7.7Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()
from 0, < 2.0.0-rc.2
HIGH7.2grav Server-side Template Injection (SSTI) mitigation bypass
from 0, < 1.7.42.2
HIGH7.2Grav Server-side Template Injection (SSTI) via Twig Default Filters
from 0, < 1.7.42
HIGH7.2Grav Server-side Template Injection (SSTI) via Denylist Bypass Vulnerability
from 0, < 1.7.42
HIGH7.2Grav Server-side Template Injection (SSTI) via Twig Default Filters
from 0, < 1.7.42
HIGH7.2Code injection in grav
from 0, < 1.7.34
HIGH7.1Stored Cross-site Scripting in grav
from 0, < 1.7.31
MEDIUM6.8Grav vulnerable to Path Traversal allowing server files backup
from 0, < 1.8.0-beta.27
MEDIUM6.5Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass
from 0, < 2.0.0-beta.2
MEDIUM6.5Grav Admin Plugin vulnerable to User Enumeration & Email Disclosure
from 0, < 1.8.0-beta.27
MEDIUM6.3Cross-Site Scripting in grav
from 0, < 1.7.24
MEDIUM6.3Reliance on Cookies without Validation and Integrity Checking in getgrav/grav
from 0, < 1.7.21
MEDIUM6.2Grav Exposes Password Hashes Leading to privilege escalation
from 0, < 1.8.0-beta.27
MEDIUM6.1Grav CMS is vulnerable to Cross Site Scripting (XSS) in the page editor
from 0, <= 1.7.49
MEDIUM6.1Grav CMS Cross-site scripting (XSS) vulnerability
from 0, < 1.3.0
MEDIUM6.1Open Redirect in Grav
from 0, < 1.6.23
MEDIUM6.1Cross-site Scripting in Grav
from 0, < 1.7.0-beta.8
MEDIUM5.7Cross-site Scripting in grav
from 0, < 1.7.28
MEDIUM5.5Grav CMS Local File Injection
>= 1.7.0-beta.1, <= 1.7.0-rc.17
MEDIUM5.4Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel
from 0, < 2.0.0-beta.2
MEDIUM5.4Grav is vulnerable to Stored XSS through authenticated user-edited content
from 0, <= 1.7.49.5
MEDIUM5.4Cross-site scripting (XSS) vulnerability in Grav
from 0
MEDIUM5.4Stored cross site scripting in getgrav/grav
from 0, < 1.7.33
MEDIUM5.0Grav has Insecure Deserialization in File Cache
from 0, < 2.0.0-beta.2
MEDIUM4.9Grav is vulnerable to a DOS on the admin panel
from 0, < 1.8.0-beta.27
MEDIUM4.8Grav CMS vulnerable to stored XSS via Markdown media attribute() action
from 0, < 2.0.0-beta.2
MEDIUM4.6Cross site scripting in getgrav/grav
from 0, < 1.7.31
MEDIUM4.3Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel
from 0, < 1.8.0-beta.27
—Grav: Stored XSS via page title (data[header][title]) in admin panel
from 0, < 1.7.49.5
—Low-privileged Grav API users can create super-admin accounts via blueprint-upload
from 0, < 2.0.0-beta.4
—Grav has Unauthenticated Path Traversal & Arbitrary File Write in its FormFlash component
from 0, < 2.0.0-beta.2
—Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms
from 0, < 1.8.0-beta.27
—Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass
from 0, < 1.8.0-beta.27
—Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced Tab
from 0, < 1.8.0-beta.27
—Grav is vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab
from 0, < 1.8.0-beta.27
—Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection
from 0, < 1.8.0-beta.27
—Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`
from 0, < 1.8.0-beta.27
—Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter
from 0, < 1.8.0-beta.27
—Grav Admin Plugin is vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]`
from 0, < 1.8.0-beta.27
—Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters
from 0, < 1.11.0-beta.1
—Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions
from 0, < 1.8.0-beta.27
—Grav Cross-site Scripting vulnerability
from 0, <= 1.7.45