Getgrav/grav
This hub aggregates every CVE we track for Getgrav/grav, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
51
CVEs tracked
3
Critical
23
High
0
In CISA KEV
Severity distribution
MEDIUM25HIGH23CRITICAL3
Monthly trend
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
22
0
0
0
0
0
0
2024-072026-06
Latest CVEs
The 15 most recently published vulnerabilities affecting Getgrav/grav.
- CVE-2025-66844In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig and the configuration allows undefined PHP functions to be ...9.1
- CVE-2025-66843grav before v1.7.49.5 has a Stored Cross-Site Scripting (Stored XSS) vulnerability in the page editing functionality. An authenticated low-privileged user with permission to edit content can inject...5.4
- CVE-2025-65186Grav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize <script> ta...6.1
- CVE-2025-66312Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]`5.4
- CVE-2025-66311Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters5.4
- CVE-2025-66310Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced Tab5.4
- CVE-2025-66309Grav vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab6.1
- CVE-2025-66308Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`5.4
- CVE-2025-66307Grav Admin Plugin vulnerable to User Enumeration & Email Disclosure6.5
- CVE-2025-66306Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel4.3
- CVE-2025-66305Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter4.9
- CVE-2025-66304Grav Exposes Password Hashes Leading to privilege escalation6.2
- CVE-2025-66303Grav is vulnerable to a DOS on the admin panel4.9
- CVE-2025-66302Grav vulnerable to Path Traversal allowing server files backup6.8
- CVE-2025-66301Grav ihas Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions9.6
Product normalization is registry-driven with AI assist and human review. How it works