Grav
This hub aggregates every CVE we track for Grav. Use it to gauge the current risk picture and drill into individual advisories.
other
64
CVEs tracked
8
Critical
29
High
0
In CISA KEV
Severity distribution
HIGH29MEDIUM27CRITICAL8
Monthly trend
0
0
0
0
0
0
1
0
0
0
0
0
2
1
0
0
1
22
1
0
1
0
11
0
2024-072026-06
Latest CVEs
The 15 most recently published vulnerabilities affecting Grav.
- CVE-2026-42844Grav: Low-privileged API users can create super-admin accounts via blueprint-upload8.8
- CVE-2026-44738Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()7.7
- CVE-2026-42842grav-plugin-form: XSS via Taxonomy Field Values in Admin Panel5.4
- CVE-2026-42613Grav: Privilege Escalation via Missing Server-Side Validation of groups/access9.4
- CVE-2026-42612Grav: Publisher-Level Stored XSS via Unquoted Event Attributes8.5
- CVE-2026-42611Grav: Stored XSS via Tag Injection8.9
- CVE-2026-42610Grav: Sensitive Information Disclosure via Accounts Service Bypass6.5
- CVE-2026-42609Grav: Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic8.1
- CVE-2026-42608Grav: Unauthenticated Path Traversal & Arbitrary File Write in FormFlash component.9.1
- CVE-2026-42607Grav: Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature9.1
- CVE-2026-42841Grav: Stored XSS via Markdown media attribute() action in Grav CMS4.8
- CVE-2026-29924Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload functionality in the admin panel and File Manager plugin.7.6
- CVE-2021-47812GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2)9.8
- CVE-2025-66844In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig and the configuration allows undefined PHP functions to be ...9.1
- CVE-2025-66843grav before v1.7.49.5 has a Stored Cross-Site Scripting (Stored XSS) vulnerability in the page editing functionality. An authenticated low-privileged user with permission to edit content can inject...5.4
Product normalization is registry-driven with AI assist and human review. How it works