getgrav/grav vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2026-55890Mediumgetgrav/grav: Grav: Stored CSS injection via Markdown image ?style=… reaches MediaObjectTrait::style() —…CVE-2026-55885Mediumgetgrav/grav: Grav: Admin Backup Zip File Exposes Account Credentials and Configuration SecretsCVE-2026-44738Highgetgrav/grav: Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()CVE-2026-44737Mediumgetgrav/grav: Grav: Stored XSS via page title (data[header][title]) in admin panelCVE-2026-42844Highgetgrav/grav: Low-privileged Grav API users can create super-admin accounts via blueprint-uploadCVE-2026-42611Highgetgrav/grav: Grav is Vulnerable to Stored XSS via Tag InjectionGHSA-3446-6MGW-F79PMediumgetgrav/grav: Grav is Vulnerable to XXE via SVG Upload CVE-2026-42608Highgetgrav/grav: Grav has Unauthenticated Path Traversal & Arbitrary File Write in its FormFlash componentCVE-2026-42609Highgetgrav/grav: Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite…CVE-2026-7317Lowgetgrav/grav: Grav has Insecure Deserialization in File CacheGHSA-VJ3M-2G9H-VM4PCriticalgetgrav/grav: Grav has multiple RCE vectors: unsafe unserialize (x3), command injection in git clone, SSTI…CVE-2026-42612Highgetgrav/grav: Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event AttributesCVE-2026-42610Mediumgetgrav/grav: Grav Vulnerable to Sensitive Information Disclosure via Accounts Service BypassCVE-2026-42613Criticalgetgrav/grav: Grav Vulnerable to Privilege Escalation via Missing Server-Side Validation of groups/accessCVE-2026-42842Mediumgetgrav/grav: Grav Vulnerable to XSS via Taxonomy Field Values in Admin PanelCVE-2026-42841Mediumgetgrav/grav: Grav CMS vulnerable to stored XSS via Markdown media attribute() actionCVE-2026-42607Criticalgetgrav/grav: Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install…CVE-2025-66844Criticalgetgrav/grav: Grav may be vulnerable to SSRF attack via Twig TemplatesCVE-2025-66843Mediumgetgrav/grav: Grav is vulnerable to Stored XSS through authenticated user-edited contentCVE-2025-65186Mediumgetgrav/grav: Grav CMS is vulnerable to Cross Site Scripting (XSS) in the page editorCVE-2025-66298Highgetgrav/grav: Grav is vulnerable to Server-Side Template Injection (SSTI) via FormsCVE-2025-66294Highgetgrav/grav: Grav is vulnerable to RCE via SSTI through Twig Sandbox BypassCVE-2025-66310Mediumgetgrav/grav: Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter…CVE-2025-66309Mediumgetgrav/grav: Grav is vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter…CVE-2025-66297Highgetgrav/grav: Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection

Stop the waste.
Protect your environment with Kodem.