📦 Grav

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Grav CMS versions before 1.7.49.5. Attackers can exploit Twig template processing to make unauthorized requests from the server...

This vulnerability allows editors with limited permissions in Grav CMS to modify form processing logic by manipulating YAML frontmatter in POST requests. Attackers could change form behavior to execut...

A cross-site scripting (XSS) vulnerability in Grav CMS versions 1.7.48 and earlier allows attackers to inject malicious scripts into form fields. When exploited, this enables arbitrary JavaScript exec...

CVE-2023-34251 is a server-side template injection vulnerability in Grav CMS that allows authenticated users with page editing privileges to execute arbitrary PHP code. This leads to remote code execu...

This CVE describes a Server-Side Template (SST) vulnerability in Grav CMS that allows attackers to extract sensitive configuration details through specially crafted POST requests to forms. Any Grav si...

Grav CMS versions before 1.8.0-beta.27 contain a Server-Side Template Injection vulnerability that allows authenticated users with editor permissions to execute arbitrary code on the server by bypassi...

A low-privilege user with page editing access in Grav can read arbitrary server files, including sensitive user account files containing password hashes and 2FA secrets. This allows account compromise...

This vulnerability allows authenticated users with account creation privileges to perform path traversal attacks when creating new users in Grav CMS. By supplying usernames containing sequences like '...

A privilege escalation vulnerability in Grav's Admin plugin allows users with create-user permissions to overwrite administrator accounts by creating new users with identical usernames. This enables a...

This vulnerability allows authenticated users with admin panel access in Grav CMS to escalate privileges to full admin or execute arbitrary system commands by injecting malicious Twig expressions. It ...

This Server-Side Template Injection (SSTI) vulnerability in Grav allows authenticated users with editor permissions to execute arbitrary commands on the server. Under certain conditions, unauthenticat...

This vulnerability allows authenticated admin users in Grav CMS to upload malicious plugins through the direct-install interface, leading to arbitrary PHP code execution and potential reverse shell ac...

This vulnerability in Grav CMS allows low-privileged users with page edit permissions to read arbitrary server files using Twig syntax, including sensitive user account files containing password hashe...

This vulnerability in Grav CMS allows administrative users to bypass SSTI mitigations and execute arbitrary code through Twig template processing. Attackers can gain elevated privileges and take full ...

Grav CMS versions before 1.7.45 contain a Server-Side Template Injection vulnerability that allows authenticated users with editor permissions to execute arbitrary code on the server, bypassing securi...

Grav CMS versions before 1.7.45 contain a file upload path traversal vulnerability that allows attackers to upload malicious files to arbitrary locations on the server. This can lead to remote code ex...

Grav CMS versions 1.7.42 and later contain a server-side template injection vulnerability due to an incorrect security check that allows bypassing function denylists. Attackers with administrator acce...

This vulnerability allows attackers with login access to Grav's Admin panel and page creation/update permissions to inject malicious templates and achieve remote code execution. The insufficient denyl...

CVE-2022-2073 is a code injection vulnerability in Grav CMS that allows attackers to execute arbitrary code on affected systems. This affects Grav installations prior to version 1.7.34. The vulnerabil...

CVE-2021-3924 is a path traversal vulnerability in Grav CMS that allows attackers to read arbitrary files outside the intended directory. This affects Grav installations with default configurations, p...

Grav CMS versions before 1.7.49.5 contain a stored cross-site scripting vulnerability in page editing functionality. Authenticated users with content editing permissions can inject malicious JavaScrip...

Grav CMS 1.7.49 contains a stored cross-site scripting vulnerability in its page editor. Authenticated users can inject malicious JavaScript via <script> tags in Markdown content, which executes when ...

Grav CMS versions before 1.8.0-beta.27 expose password hashes to users with read access to the admin panel's user management section. This allows attackers with basic admin panel access to potentially...

A Denial of Service vulnerability in Grav's admin panel allows attackers to crash the entire web application by submitting malformed input to the Languages configuration. This affects all Grav install...

Grav CMS versions before 1.8.0-beta.27 contain an IDOR vulnerability in the admin panel that allows low-privilege users to access sensitive information from other user accounts, including admin email ...

Grav CMS versions before 1.8.0-beta.27 contain a path traversal vulnerability in the backup tool that allows authenticated administrators to read arbitrary files on the server filesystem. This occurs ...

A Denial of Service vulnerability in Grav allows attackers to disrupt the admin panel by submitting malicious cron expressions in the scheduled_at parameter. This affects Grav administrators who can a...

Grav CMS version 1.7.49.5 contains a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. This affects all Grav CMS installa...