pkg:Packagist/getgrav/grav

64 total CVEsCRITICAL4HIGH25MEDIUM21

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.4CVE-2026-42613Grav Vulnerable to Privilege Escalation via Missing Server-Side Validation of groups/access
    from 0, < 2.0.0-beta.2
  • CRITICAL9.1CVE-2026-42607Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature
    from 0, < 2.0.0-beta.2
  • CRITICAL9.1CVE-2025-66844Grav may be vulnerable to SSRF attack via Twig Templates
    from 0, <= 1.7.49.5
  • CRITICAL9.1CVE-2023-34251Grav Server Side Template Injection (SSTI) vulnerability
    from 0, < 1.7.42
  • HIGH8.9CVE-2026-42611Grav is Vulnerable to Stored XSS via Tag Injection
    from 0, < 2.0.0-beta.2
  • HIGH8.8CVE-2025-66295Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption
    from 0, < 1.8.0-beta.27
  • HIGH8.8CVE-2025-66299Grav is Vulnerable to Security Sandbox Bypass with SSTI (Server Side Template Injection)
    from 0, < 1.8.0-beta.27
  • HIGH8.8CVE-2025-66296Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover
    from 0, < 1.8.0-beta.27
  • HIGH8.8CVE-2024-28119Server Side Template Injection (SSTI) via Twig escape handler
    from 0, < 1.7.45
  • HIGH8.8CVE-2024-28118Server Side Template Injection (SSTI)
    from 0, < 1.7.45
  • HIGH8.8CVE-2024-28117Server Side Template Injection (SSTI)
    from 0, < 1.7.45
  • HIGH8.8CVE-2024-28116Server-Side Template Injection (SSTI) with Grav CMS security sandbox bypass
    from 0, < 1.7.45
  • HIGH8.8CVE-2024-27921Grav File Upload Path Traversal
    from 0, < 1.7.45
  • HIGH8.8CVE-2024-27923Remote Code Execution by uploading a phar file using frontmatter
    from 0, < 1.7.43
  • HIGH8.8CVE-2020-29553Grav CMS Cross-Site Request Forgery (CSRF)
    >= 1.7.0-beta.1, <= 1.7.0-rc.17
  • HIGH8.8CVE-2021-3924Path traversal in grav
    from 0, <= 1.7.24
  • HIGH8.5CVE-2026-42612Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes
    from 0, < 2.0.0-beta.2
  • HIGH8.5CVE-2025-66300Grav is vulnerable to Arbitrary File Read
    from 0, < 1.8.0-beta.27
  • HIGH8.5CVE-2024-34082Grav Vulnerable to Arbitrary File Read to Account Takeover
    from 0, < 1.7.46
  • HIGH8.4CVE-2021-29440Grav's Twig processing allowing dangerous PHP functions by default
    from 0, < 1.7.11
  • HIGH8.1CVE-2026-42609Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic
    from 0, < 2.0.0-beta.2
  • HIGH8.1CVE-2020-29555Grav CMS Arbitrary File Deletion
    >= 1.7.0-beta.1, <= 1.7.0-rc.17
  • HIGH7.7CVE-2026-44738Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()
    from 0, < 2.0.0-rc.2
  • HIGH7.2CVE-2023-37897grav Server-side Template Injection (SSTI) mitigation bypass
    from 0, < 1.7.42.2
  • HIGH7.2CVE-2023-34448Grav Server-side Template Injection (SSTI) via Twig Default Filters
    from 0, < 1.7.42
  • HIGH7.2CVE-2023-34253Grav Server-side Template Injection (SSTI) via Denylist Bypass Vulnerability
    from 0, < 1.7.42
  • HIGH7.2CVE-2023-34252Grav Server-side Template Injection (SSTI) via Twig Default Filters
    from 0, < 1.7.42
  • HIGH7.2CVE-2022-2073Code injection in grav
    from 0, < 1.7.34
  • HIGH7.1CVE-2022-0970Stored Cross-site Scripting in grav
    from 0, < 1.7.31
  • MEDIUM6.8CVE-2025-66302Grav vulnerable to Path Traversal allowing server files backup
    from 0, < 1.8.0-beta.27
  • MEDIUM6.5CVE-2026-42610Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass
    from 0, < 2.0.0-beta.2
  • MEDIUM6.5CVE-2025-66307Grav Admin Plugin vulnerable to User Enumeration & Email Disclosure
    from 0, < 1.8.0-beta.27
  • MEDIUM6.3CVE-2021-3904Cross-Site Scripting in grav
    from 0, < 1.7.24
  • MEDIUM6.3CVE-2021-3818Reliance on Cookies without Validation and Integrity Checking in getgrav/grav
    from 0, < 1.7.21
  • MEDIUM6.2CVE-2025-66304Grav Exposes Password Hashes Leading to privilege escalation
    from 0, < 1.8.0-beta.27
  • MEDIUM6.1CVE-2025-65186Grav CMS is vulnerable to Cross Site Scripting (XSS) in the page editor
    from 0, <= 1.7.49
  • MEDIUM6.1CVE-2018-5233Grav CMS Cross-site scripting (XSS) vulnerability
    from 0, < 1.3.0
  • MEDIUM6.1CVE-2020-11529Open Redirect in Grav
    from 0, < 1.6.23
  • MEDIUM6.1CVE-2019-16126Cross-site Scripting in Grav
    from 0, < 1.7.0-beta.8
  • MEDIUM5.7CVE-2022-0268Cross-site Scripting in grav
    from 0, < 1.7.28
  • MEDIUM5.5CVE-2020-29556Grav CMS Local File Injection
    >= 1.7.0-beta.1, <= 1.7.0-rc.17
  • MEDIUM5.4CVE-2026-42842Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel
    from 0, < 2.0.0-beta.2
  • MEDIUM5.4CVE-2025-66843Grav is vulnerable to Stored XSS through authenticated user-edited content
    from 0, <= 1.7.49.5
  • MEDIUM5.4CVE-2023-31506Cross-site scripting (XSS) vulnerability in Grav
    from 0
  • MEDIUM5.4CVE-2022-1173Stored cross site scripting in getgrav/grav
    from 0, < 1.7.33
  • MEDIUM5.0CVE-2026-7317Grav has Insecure Deserialization in File Cache
    from 0, < 2.0.0-beta.2
  • MEDIUM4.9CVE-2025-66303Grav is vulnerable to a DOS on the admin panel
    from 0, < 1.8.0-beta.27
  • MEDIUM4.8CVE-2026-42841Grav CMS vulnerable to stored XSS via Markdown media attribute() action
    from 0, < 2.0.0-beta.2
  • MEDIUM4.6CVE-2022-0743Cross site scripting in getgrav/grav
    from 0, < 1.7.31
  • MEDIUM4.3CVE-2025-66306Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel
    from 0, < 1.8.0-beta.27
  • CVE-2026-44737Grav: Stored XSS via page title (data[header][title]) in admin panel
    from 0, < 1.7.49.5
  • CVE-2026-42844Low-privileged Grav API users can create super-admin accounts via blueprint-upload
    from 0, < 2.0.0-beta.4
  • CVE-2026-42608Grav has Unauthenticated Path Traversal & Arbitrary File Write in its FormFlash component
    from 0, < 2.0.0-beta.2
  • CVE-2025-66298Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms
    from 0, < 1.8.0-beta.27
  • CVE-2025-66294Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass
    from 0, < 1.8.0-beta.27
  • CVE-2025-66310Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced Tab
    from 0, < 1.8.0-beta.27
  • CVE-2025-66309Grav is vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab
    from 0, < 1.8.0-beta.27
  • CVE-2025-66297Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection
    from 0, < 1.8.0-beta.27
  • CVE-2025-66308Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`
    from 0, < 1.8.0-beta.27
  • CVE-2025-66305Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter
    from 0, < 1.8.0-beta.27
  • CVE-2025-66312Grav Admin Plugin is vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]`
    from 0, < 1.8.0-beta.27
  • CVE-2025-66311Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters
    from 0, < 1.11.0-beta.1
  • CVE-2025-66301Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions
    from 0, < 1.8.0-beta.27
  • CVE-2024-35498Grav Cross-site Scripting vulnerability
    from 0, <= 1.7.45