Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/422016?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/422016?format=api", "purl": "pkg:composer/getgrav/grav@1.2.4", "type": "composer", "namespace": "getgrav", "name": "grav", "version": "1.2.4", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.0.0-rc.2", "latest_non_vulnerable_version": "2.0.0-rc.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94897?format=api", "vulnerability_id": "VCID-1t44-x9xa-dqhy", "summary": "Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR (Insecure Direct Object Reference) vulnerability in the Grav CMS Admin Panel which allows low-privilege users to access sensitive information from other accounts. Although direct account takeover is not possible, admin email addresses and other metadata can be exposed, increasing the risk of phishing, credential stuffing, and social engineering. This vulnerability is fixed in 1.8.0-beta.27.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66306", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14348", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14228", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66306" }, { "reference_url": "https://github.com/getgrav/grav/commit/b7e1958a6e807ac14919447b60e5204a2ea77f62", "reference_id": "b7e1958a6e807ac14919447b60e5204a2ea77f62", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T20:11:21Z/" } ], "url": "https://github.com/getgrav/grav/commit/b7e1958a6e807ac14919447b60e5204a2ea77f62" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66306", "reference_id": "CVE-2025-66306", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66306" }, { "reference_url": "https://github.com/advisories/GHSA-4cwq-j7jv-qmwg", "reference_id": "GHSA-4cwq-j7jv-qmwg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4cwq-j7jv-qmwg" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-4cwq-j7jv-qmwg", "reference_id": "GHSA-4cwq-j7jv-qmwg", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T20:11:21Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-4cwq-j7jv-qmwg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35638?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66306", "GHSA-4cwq-j7jv-qmwg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1t44-x9xa-dqhy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39694?format=api", "vulnerability_id": "VCID-1uae-bt5u-2yct", "summary": "Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from Grav context, an attacker can redefine config variable. As a result, attacker can bypass a previous SSTI mitigation. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Version 1.7.45 contains a fix for this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28118", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00394", "scoring_system": "epss", "scoring_elements": "0.60818", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00394", "scoring_system": "epss", "scoring_elements": "0.60713", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28118" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28118", "reference_id": "CVE-2024-28118", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28118" }, { "reference_url": "https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe", "reference_id": "de1ccfa12dbcbf526104d68c1a6bc202a98698fe", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-08T15:04:35Z/" } ], "url": "https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe" }, { "reference_url": "https://github.com/advisories/GHSA-r6vw-8v8r-pmp4", "reference_id": "GHSA-r6vw-8v8r-pmp4", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r6vw-8v8r-pmp4" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-r6vw-8v8r-pmp4", "reference_id": "GHSA-r6vw-8v8r-pmp4", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-08T15:04:35Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-r6vw-8v8r-pmp4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29986?format=api", "purl": "pkg:composer/getgrav/grav@1.7.45", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.45" } ], "aliases": [ "CVE-2024-28118", "GHSA-r6vw-8v8r-pmp4" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1uae-bt5u-2yct" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70232?format=api", "vulnerability_id": "VCID-1vrd-293u-73br", "summary": "The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing the global autoescape protection. An editor-level user can inject arbitrary JavaScript that executes in any administrator's browser session when they view or edit any page in the admin panel. This vulnerability is fixed in 9.1.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42842", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08901", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10441", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42842" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42842", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42842" }, { "reference_url": "https://github.com/getgrav/grav-plugin-form/commit/6bffb4c98be468a155d1656544ec45bb4a443957", "reference_id": "6bffb4c98be468a155d1656544ec45bb4a443957", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:24:43Z/" } ], "url": "https://github.com/getgrav/grav-plugin-form/commit/6bffb4c98be468a155d1656544ec45bb4a443957" }, { "reference_url": "https://github.com/advisories/GHSA-c2q3-p4jr-c55f", "reference_id": "GHSA-c2q3-p4jr-c55f", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c2q3-p4jr-c55f" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-c2q3-p4jr-c55f", "reference_id": "GHSA-c2q3-p4jr-c55f", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:24:43Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-c2q3-p4jr-c55f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373988?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.2" } ], "aliases": [ "CVE-2026-42842", "GHSA-c2q3-p4jr-c55f" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1vrd-293u-73br" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39798?format=api", "vulnerability_id": "VCID-2559-2grj-ykbp", "summary": "Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Version 1.7.45 contains a patch for this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28119", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01406", "scoring_system": "epss", "scoring_elements": "0.80949", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.01406", "scoring_system": "epss", "scoring_elements": "0.80889", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28119" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28119", "reference_id": "CVE-2024-28119", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28119" }, { "reference_url": "https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe", "reference_id": "de1ccfa12dbcbf526104d68c1a6bc202a98698fe", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-28T18:13:10Z/" } ], "url": "https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe" }, { "reference_url": "https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99", "reference_id": "EscaperExtension.php#L99", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-28T18:13:10Z/" } ], "url": "https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99" }, { "reference_url": "https://github.com/advisories/GHSA-2m7x-c7px-hp58", "reference_id": "GHSA-2m7x-c7px-hp58", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2m7x-c7px-hp58" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58", "reference_id": "GHSA-2m7x-c7px-hp58", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-28T18:13:10Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29986?format=api", "purl": "pkg:composer/getgrav/grav@1.7.45", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.45" } ], "aliases": [ "CVE-2024-28119", "GHSA-2m7x-c7px-hp58" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2559-2grj-ykbp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360344?format=api", "vulnerability_id": "VCID-2qcb-uegp-t3h1", "summary": "Grav has multiple RCE vectors: unsafe unserialize (x3), command injection in git clone, SSTI blocklist bypass\nMultiple RCE vectors were found in Grav CMS. Three are critical, two are high.\n\n**1. Unsafe unserialize() in JobQueue — direct RCE gadget (Critical)**\n\n`system/src/Grav/Common/Scheduler/JobQueue.php:465` calls `unserialize(base64_decode(...))` without restricting `allowed_classes`. The `Job` class has `call_user_func_array($this->command, $this->args)` in its execution path, which is a direct gadget chain — inject a serialized `Job` with `command = 'system'` and `args = ['whoami']`.\n\nThe same codebase actually has a `Serializable` trait that correctly restricts classes, so this inconsistency stands out.\n\n**2. Unsafe unserialize() in FileCache — arbitrary class instantiation (Critical)**\n\n`system/src/Grav/Framework/Cache/Adapter/FileCache.php:75` does `unserialize($value, ['allowed_classes' => true])`. That `true` allows instantiation of any class. If an attacker can write to the cache directory (via any file write primitive), they get object injection → RCE.\n\n**3. Unsafe unserialize() in Session (High)**\n\n`system/src/Grav/Common/Session.php:116` — same `allowed_classes => true` pattern on session data. Lower severity since session storage is typically more restricted.\n\n**4. Command injection in git clone (Critical)**\n\n`system/src/Grav/Console/Cli/InstallCommand.php:150` — only `$this->destination` uses `escapeshellarg()`. The `$data['branch']`, `$data['url']`, and `$data['path']` variables go directly into the shell command without escaping. Admin-accessible via plugin/theme installation.\n\n**5. SSTI blocklist bypass (High)**\n\n`system/src/Grav/Common/Security.php:267-286` — `cleanDangerousTwig()` blocks `twig_array_map` and `twig_array_filter` but not `twig_array_reduce`. Also missing `file_get_contents` and `fwrite` from the dangerous function blocklist. An attacker who can inject Twig templates can bypass the security filter.\n\nAll five are independently exploitable. The unserialize issues are the most concerning since they don't require admin access if there's any file write primitive.\n\n— ProScan AppSec | proscan.one\n\n\n---\n\n## Maintainer note — fix applied (2026-04-24)\n\nFixed in Grav core on the `2.0` branch: commit [`c66dfeb5f`](https://github.com/getgrav/grav/commit/c66dfeb5f) (items #1, #2, #3, #4) and commit [`38685ac25`](https://github.com/getgrav/grav/commit/38685ac25) + [`c66dfeb5f`](https://github.com/getgrav/grav/commit/c66dfeb5f) (item #5) — ships in **2.0.0-beta.2**.\n\nAll five vectors addressed:\n\n1. **Scheduler\\JobQueue unsafe unserialize** — `serialized_job` now carries a sibling `serialized_job_hmac` signed with `Security::getNonceKey()`. `reconstructJob` refuses to unserialize an item whose HMAC is missing/mismatched and falls through to the safe structured-fields rebuild. A tampered queue file can no longer smuggle a forged `Job` for direct RCE via `Job::exec → call_user_func_array`. \n → [`system/src/Grav/Common/Scheduler/JobQueue.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Scheduler/JobQueue.php)\n\n2. **FileCache unsafe unserialize** — same HMAC-integrity approach; see separate GHSA-gwfr-jfjf-92vv. \n → [`system/src/Grav/Framework/Cache/Adapter/FileCache.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Framework/Cache/Adapter/FileCache.php)\n\n3. **Session::getFlashObject unsafe unserialize** — payload now wrapped in a `v2|<hmac>|<serialized>` envelope; legacy/forged envelopes return null instead of triggering `unserialize`. \n → [`system/src/Grav/Common/Session.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Session.php)\n\n4. **InstallCommand `git clone` shell injection** — `branch`, `url`, and `path` values read from `user/.dependencies` are now passed through `escapeshellarg`, with a `--` separator before url/path to block option-injection (e.g. `--upload-pack=evil`). \n → [`system/src/Grav/Console/Cli/InstallCommand.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Console/Cli/InstallCommand.php)\n\n5. **SSTI blocklist bypass** — `twig_array_reduce` (the specific name called out) plus `twig_array_some` and `twig_array_every` added to `cleanDangerousTwig`'s `CALLABLE_DANGEROUS_NAMES` alongside the existing `twig_array_map`/`filter`. More importantly, the new Twig content sandbox in 2.0.0-beta.2 blocks this class of attack at a different layer — see the sandbox work in [`38685ac25`](https://github.com/getgrav/grav/commit/38685ac25). \n → [`system/src/Grav/Common/Security.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Security.php)\n\n**Tests:**\n- [`tests/unit/Grav/Common/Security/UnserializeIntegritySecurityTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/UnserializeIntegritySecurityTest.php) — 8 cases covering JobQueue + Session HMAC integrity.\n- [`tests/unit/Grav/Common/Security/FileCacheSecurityTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/FileCacheSecurityTest.php).\n- [`tests/unit/Grav/Common/Security/CleanDangerousTwigTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/CleanDangerousTwigTest.php) — new `twig_array_*` entries in `providerCallbackFunctions`.", "references": [ { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-vj3m-2g9h-vm4p", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-vj3m-2g9h-vm4p" }, { "reference_url": "https://github.com/advisories/GHSA-vj3m-2g9h-vm4p", "reference_id": "GHSA-vj3m-2g9h-vm4p", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vj3m-2g9h-vm4p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373988?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.2" } ], "aliases": [ "GHSA-vj3m-2g9h-vm4p" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2qcb-uegp-t3h1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70342?format=api", "vulnerability_id": "VCID-3y6z-hczk-kbcj", "summary": "Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a stored Cross-Site Scripting (XSS) vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss() function when handling unquoted HTML event attributes. This vulnerability is fixed in 2.0.0-beta.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42612", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09975", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11615", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42612" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42612", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42612" }, { "reference_url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663", "reference_id": "5a12f9be8314682c8713e569e330f11805d0a663", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:52:35Z/" } ], "url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663" }, { "reference_url": "https://github.com/advisories/GHSA-9695-8fr9-hw5q", "reference_id": "GHSA-9695-8fr9-hw5q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9695-8fr9-hw5q" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-9695-8fr9-hw5q", "reference_id": "GHSA-9695-8fr9-hw5q", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:52:35Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-9695-8fr9-hw5q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373988?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.2" } ], "aliases": [ "CVE-2026-42612", "GHSA-9695-8fr9-hw5q" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3y6z-hczk-kbcj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94859?format=api", "vulnerability_id": "VCID-45ba-51hu-aybn", "summary": "Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66294", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.37646", "scoring_system": "epss", "scoring_elements": "0.97306", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.37646", "scoring_system": "epss", "scoring_elements": "0.97299", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66294" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66294", "reference_id": "CVE-2025-66294", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66294" }, { "reference_url": "https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458", "reference_id": "e37259527d9c1deb6200f8967197a9fa587c6458", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-02T14:05:10Z/" } ], "url": "https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458" }, { "reference_url": "https://github.com/advisories/GHSA-662m-56v4-3r8f", "reference_id": "GHSA-662m-56v4-3r8f", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-662m-56v4-3r8f" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f", "reference_id": "GHSA-662m-56v4-3r8f", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-02T14:05:10Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35638?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66294", "GHSA-662m-56v4-3r8f" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-45ba-51hu-aybn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/136914?format=api", "vulnerability_id": "VCID-4ee3-v7em-w3d9", "summary": "A cross-site scripting (XSS) vulnerability in Grav versions 1.7.44 and before, allows remote authenticated attackers to execute arbitrary web scripts or HTML via the onmouseover attribute of an ISINDEX element.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-31506", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14782", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14662", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-31506" }, { "reference_url": "https://m3n0sd0n4ld.github.io/patoHackventuras/cve-2023-31506", "reference_id": "cve-2023-31506", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-16T17:13:14Z/" } ], "url": "https://m3n0sd0n4ld.github.io/patoHackventuras/cve-2023-31506" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31506", "reference_id": "CVE-2023-31506", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31506" }, { "reference_url": "https://github.com/advisories/GHSA-xrf8-cmrg-7436", "reference_id": "GHSA-xrf8-cmrg-7436", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xrf8-cmrg-7436" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/395019?format=api", "purl": "pkg:composer/getgrav/grav@1.7.44", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.44" } ], "aliases": [ "CVE-2023-31506", "GHSA-xrf8-cmrg-7436" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4ee3-v7em-w3d9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70610?format=api", "vulnerability_id": "VCID-4fyk-8s1y-zye1", "summary": "Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits the page; which can further be chained with the use of admin-nonce to do a complete server compromise (RCE). This vulnerability is fixed in 2.0.0-beta.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42611", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13675", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.1604", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42611" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42611", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42611" }, { "reference_url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663", "reference_id": "5a12f9be8314682c8713e569e330f11805d0a663", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:23:37Z/" } ], "url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663" }, { "reference_url": "https://github.com/advisories/GHSA-w8cg-7jcj-4vv2", "reference_id": "GHSA-w8cg-7jcj-4vv2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w8cg-7jcj-4vv2" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-w8cg-7jcj-4vv2", "reference_id": "GHSA-w8cg-7jcj-4vv2", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:23:37Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-w8cg-7jcj-4vv2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373988?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.2" } ], "aliases": [ "CVE-2026-42611", "GHSA-w8cg-7jcj-4vv2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4fyk-8s1y-zye1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/204206?format=api", "vulnerability_id": "VCID-54zk-kc4y-q3bk", "summary": "Cross-site Scripting in Grav", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-16126", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00613", "scoring_system": "epss", "scoring_elements": "0.70423", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00613", "scoring_system": "epss", "scoring_elements": "0.70333", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-16126" }, { "reference_url": "https://github.com/getgrav/grav/issues/2657", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/issues/2657" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16126", "reference_id": "CVE-2019-16126", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16126" }, { "reference_url": "https://github.com/advisories/GHSA-6268-v434-45m5", "reference_id": "GHSA-6268-v434-45m5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6268-v434-45m5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/491044?format=api", "purl": "pkg:composer/getgrav/grav@1.6.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6gfu-pghx-sqcp" }, { "vulnerability": "VCID-6jat-2def-zqbc" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-7pjb-q8yn-47cc" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gk7c-d8fy-rbdf" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jjye-gyx1-j3bu" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-k8n9-gaa1-kfd6" }, { "vulnerability": "VCID-k9a3-vmbk-nkbc" }, { "vulnerability": "VCID-kpzg-n1y4-pufs" }, { "vulnerability": "VCID-n21x-za4a-rbe6" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-nznw-cfmj-6bfp" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-q8kr-z94u-gyeb" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r2fp-phnf-9yej" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-rfya-ry5q-2kha" }, { "vulnerability": "VCID-rg23-jtkn-ubga" }, { "vulnerability": "VCID-rs2j-48mj-ruey" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tg5t-vpgm-akdc" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-vudj-pa47-4kfd" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zrw3-291v-n7f5" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.6.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/23161?format=api", "purl": "pkg:composer/getgrav/grav@1.7.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6jat-2def-zqbc" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-7pjb-q8yn-47cc" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gk7c-d8fy-rbdf" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jjye-gyx1-j3bu" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-k8n9-gaa1-kfd6" }, { "vulnerability": "VCID-k9a3-vmbk-nkbc" }, { "vulnerability": "VCID-kpzg-n1y4-pufs" }, { "vulnerability": "VCID-n21x-za4a-rbe6" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-nznw-cfmj-6bfp" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-q8kr-z94u-gyeb" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r2fp-phnf-9yej" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-rfya-ry5q-2kha" }, { "vulnerability": "VCID-rg23-jtkn-ubga" }, { "vulnerability": "VCID-rs2j-48mj-ruey" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tg5t-vpgm-akdc" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zrw3-291v-n7f5" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.0-beta.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/15709?format=api", "purl": "pkg:composer/getgrav/grav@1.7.0-beta.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6jat-2def-zqbc" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-7pjb-q8yn-47cc" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gk7c-d8fy-rbdf" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jjye-gyx1-j3bu" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-k8n9-gaa1-kfd6" }, { "vulnerability": "VCID-k9a3-vmbk-nkbc" }, { "vulnerability": "VCID-kpzg-n1y4-pufs" }, { "vulnerability": "VCID-n21x-za4a-rbe6" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-nznw-cfmj-6bfp" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-q8kr-z94u-gyeb" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r2fp-phnf-9yej" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-rfya-ry5q-2kha" }, { "vulnerability": "VCID-rg23-jtkn-ubga" }, { "vulnerability": "VCID-rs2j-48mj-ruey" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zrw3-291v-n7f5" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.0-beta.8" } ], "aliases": [ "CVE-2019-16126", "GHSA-6268-v434-45m5" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-54zk-kc4y-q3bk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95076?format=api", "vulnerability_id": "VCID-611u-223y-9fgn", "summary": "This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][content][items] parameter. This vulnerability is fixed in 1.11.0-beta.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66309", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09689", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09639", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66309" }, { "reference_url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0", "reference_id": "99f653296504f1d6408510dd2f6f20a45a26f9b0", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T16:12:10Z/" } ], "url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66309", "reference_id": "CVE-2025-66309", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66309" }, { "reference_url": "https://github.com/advisories/GHSA-65mj-f7p4-wggq", "reference_id": "GHSA-65mj-f7p4-wggq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-65mj-f7p4-wggq" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-65mj-f7p4-wggq", "reference_id": "GHSA-65mj-f7p4-wggq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T16:12:10Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-65mj-f7p4-wggq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35638?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66309", "GHSA-65mj-f7p4-wggq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-611u-223y-9fgn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/207267?format=api", "vulnerability_id": "VCID-6gfu-pghx-sqcp", "summary": "Open Redirect in Grav", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-11529", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.70296", "scoring_system": "epss", "scoring_elements": "0.98704", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.70296", "scoring_system": "epss", "scoring_elements": "0.98709", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-11529" }, { "reference_url": "https://getgrav.org/#changelog", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://getgrav.org/#changelog" }, { "reference_url": "https://github.com/getgrav/grav/commit/2eae104c7a4bf32bc26cb8073d5c40464bfda3f7", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/2eae104c7a4bf32bc26cb8073d5c40464bfda3f7" }, { "reference_url": "https://github.com/getgrav/grav/issues/3134", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/issues/3134" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11529", "reference_id": "CVE-2020-11529", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11529" }, { "reference_url": "https://github.com/advisories/GHSA-wrxc-mr2w-cjpv", "reference_id": "GHSA-wrxc-mr2w-cjpv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wrxc-mr2w-cjpv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/18602?format=api", "purl": "pkg:composer/getgrav/grav@1.6.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6jat-2def-zqbc" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-7pjb-q8yn-47cc" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gk7c-d8fy-rbdf" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jjye-gyx1-j3bu" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-k8n9-gaa1-kfd6" }, { "vulnerability": "VCID-k9a3-vmbk-nkbc" }, { "vulnerability": "VCID-kpzg-n1y4-pufs" }, { "vulnerability": "VCID-n21x-za4a-rbe6" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-nznw-cfmj-6bfp" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-q8kr-z94u-gyeb" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r2fp-phnf-9yej" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-rfya-ry5q-2kha" }, { "vulnerability": "VCID-rg23-jtkn-ubga" }, { "vulnerability": "VCID-rs2j-48mj-ruey" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tg5t-vpgm-akdc" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-vudj-pa47-4kfd" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zrw3-291v-n7f5" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.6.23" } ], "aliases": [ "CVE-2020-11529", "GHSA-wrxc-mr2w-cjpv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6gfu-pghx-sqcp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/208465?format=api", "vulnerability_id": "VCID-6jat-2def-zqbc", "summary": "Stored Cross-site Scripting in grav", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0970", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00384", "scoring_system": "epss", "scoring_elements": "0.60172", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00384", "scoring_system": "epss", "scoring_elements": "0.60065", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0970" }, { "reference_url": "https://github.com/getgrav/grav/commit/f19297d5f70476e7bedae9f2acef6b43615538b8", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/f19297d5f70476e7bedae9f2acef6b43615538b8" }, { "reference_url": "https://huntr.dev/bounties/dd436c44-cbf4-48ac-8817-3a24872534ec", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.dev/bounties/dd436c44-cbf4-48ac-8817-3a24872534ec" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0970", "reference_id": "CVE-2022-0970", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0970" }, { "reference_url": "https://github.com/advisories/GHSA-r6hh-5g3q-wwgc", "reference_id": "GHSA-r6hh-5g3q-wwgc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r6hh-5g3q-wwgc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19545?format=api", "purl": "pkg:composer/getgrav/grav@1.7.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-7pjb-q8yn-47cc" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gk7c-d8fy-rbdf" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-k9a3-vmbk-nkbc" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-nznw-cfmj-6bfp" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r2fp-phnf-9yej" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-rg23-jtkn-ubga" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.31" } ], "aliases": [ "CVE-2022-0970", "GHSA-r6hh-5g3q-wwgc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6jat-2def-zqbc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95122?format=api", "vulnerability_id": "VCID-6nkq-h2ya-h7c4", "summary": "Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Denial of Service (DoS) vulnerability was identified in the \"Languages\" submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input. If a malformed value is inserted—such as a single forward slash (/) or an XSS test string—it causes a fatal regular expression parsing error on the server. This leads to application-wide failure due to the use of the preg_match() function with an improperly constructed regular expression, resulting in an error. Once triggered, the site becomes completely unavailable to all users. This vulnerability is fixed in 1.8.0-beta.27.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66305", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20453", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.2063", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66305" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66305", "reference_id": "CVE-2025-66305", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66305" }, { "reference_url": "https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee", "reference_id": "ed640a13143c4177af013cf001969ed2c5e197ee", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-02T20:14:17Z/" } ], "url": "https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee" }, { "reference_url": "https://github.com/advisories/GHSA-m8vh-v6r6-w7p6", "reference_id": "GHSA-m8vh-v6r6-w7p6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m8vh-v6r6-w7p6" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-m8vh-v6r6-w7p6", "reference_id": "GHSA-m8vh-v6r6-w7p6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-02T20:14:17Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-m8vh-v6r6-w7p6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35638?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66305", "GHSA-m8vh-v6r6-w7p6" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6nkq-h2ya-h7c4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94941?format=api", "vulnerability_id": "VCID-7376-h19s-q3bf", "summary": "Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (SSTI) that allows any authenticated user with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox. Since the security sandbox does not fully protect the Twig object, it is possible to interact with it (e.g., call methods, read/write attributes) through maliciously crafted Twig template directives injected into a web page. This allows an authenticated editor to add arbitrary functions to the Twig attribute system.twig.safe_filters, effectively bypassing the Grav CMS sandbox. This vulnerability is fixed in 1.8.0-beta.27.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66299", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00154", "scoring_system": "epss", "scoring_elements": "0.36028", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00154", "scoring_system": "epss", "scoring_elements": "0.35847", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66299" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66299", "reference_id": "CVE-2025-66299", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66299" }, { "reference_url": "https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458", "reference_id": "e37259527d9c1deb6200f8967197a9fa587c6458", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-02T14:07:46Z/" } ], "url": "https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458" }, { "reference_url": "https://github.com/advisories/GHSA-gjc5-8cfh-653x", "reference_id": "GHSA-gjc5-8cfh-653x", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gjc5-8cfh-653x" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-gjc5-8cfh-653x", "reference_id": "GHSA-gjc5-8cfh-653x", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-02T14:07:46Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-gjc5-8cfh-653x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35638?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66299", "GHSA-gjc5-8cfh-653x" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7376-h19s-q3bf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/141815?format=api", "vulnerability_id": "VCID-7pjb-q8yn-47cc", "summary": "Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig's Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. A patch in version 1.74.2 overrides the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34448", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.08847", "scoring_system": "epss", "scoring_elements": "0.92753", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.08847", "scoring_system": "epss", "scoring_elements": "0.92728", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34448" }, { "reference_url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34448", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34448" }, { "reference_url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/", "reference_id": "3ef640e6-9e25-4ecb-8ec1-64311d63fe66", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:38:33Z/" } ], "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/" }, { "reference_url": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8", "reference_id": "8c2c1cb72611a399f13423fc6d0e1d998c03e5c8", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:38:33Z/" } ], "url": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8" }, { "reference_url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83", "reference_id": "9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:38:33Z/" } ], "url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83" }, { "reference_url": "https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148", "reference_id": "Environment.php#L148", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:38:33Z/" } ], "url": "https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148" }, { "reference_url": "https://github.com/advisories/GHSA-whr7-m3f8-mpm8", "reference_id": "GHSA-whr7-m3f8-mpm8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-whr7-m3f8-mpm8" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8", "reference_id": "GHSA-whr7-m3f8-mpm8", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:38:33Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/381711?format=api", "purl": "pkg:composer/getgrav/grav@1.7.42", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.42" } ], "aliases": [ "CVE-2023-34448", "GHSA-whr7-m3f8-mpm8" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7pjb-q8yn-47cc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94852?format=api", "vulnerability_id": "VCID-8y17-ya5s-xudd", "summary": "This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/config/site endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[taxonomies] parameter. The injected payload is stored on the server and automatically executed in the browser of any user who accesses the affected site configuration, resulting in a persistent attack vector. This vulnerability is fixed in 1.11.0-beta.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66308", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07316", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07274", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66308" }, { "reference_url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0", "reference_id": "99f653296504f1d6408510dd2f6f20a45a26f9b0", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T16:13:50Z/" } ], "url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66308", "reference_id": "CVE-2025-66308", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66308" }, { "reference_url": "https://github.com/advisories/GHSA-gqxx-248x-g29f", "reference_id": "GHSA-gqxx-248x-g29f", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gqxx-248x-g29f" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-gqxx-248x-g29f", "reference_id": "GHSA-gqxx-248x-g29f", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T16:13:50Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-gqxx-248x-g29f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35638?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66308", "GHSA-gqxx-248x-g29f" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8y17-ya5s-xudd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55745?format=api", "vulnerability_id": "VCID-9aqu-d699-27bh", "summary": "Grav is a content management system (CMS). Prior to version 1.7.43, users who may write a page may use the `frontmatter` feature due to insufficient permission validation and inadequate file name validation. This may lead to remote code execution. Version 1.7.43 fixes this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27923", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.05118", "scoring_system": "epss", "scoring_elements": "0.90092", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.05118", "scoring_system": "epss", "scoring_elements": "0.9006", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27923" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27923", "reference_id": "CVE-2024-27923", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27923" }, { "reference_url": "https://github.com/getgrav/grav/commit/e3b0aa0c502aad251c1b79d1ee973dcd93711f07", "reference_id": "e3b0aa0c502aad251c1b79d1ee973dcd93711f07", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-02T18:34:03Z/" } ], "url": "https://github.com/getgrav/grav/commit/e3b0aa0c502aad251c1b79d1ee973dcd93711f07" }, { "reference_url": "https://github.com/advisories/GHSA-f6g2-h7qv-3m5v", "reference_id": "GHSA-f6g2-h7qv-3m5v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f6g2-h7qv-3m5v" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-f6g2-h7qv-3m5v", "reference_id": "GHSA-f6g2-h7qv-3m5v", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-02T18:34:03Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-f6g2-h7qv-3m5v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29547?format=api", "purl": "pkg:composer/getgrav/grav@1.7.43", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.43" } ], "aliases": [ "CVE-2024-27923", "GHSA-f6g2-h7qv-3m5v" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9aqu-d699-27bh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70513?format=api", "vulnerability_id": "VCID-9y53-5agq-9yaf", "summary": "Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POST requests), an unauthenticated attacker can traverse the filesystem to create arbitrary directories and write an index.yaml file containing attacker-controlled data. This vulnerability can lead to unauthorized modification of application behavior, potential data integrity issues, and service disruption in production environments. This vulnerability is fixed in 2.0.0-beta.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42608", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.3062", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00131", "scoring_system": "epss", "scoring_elements": "0.32426", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42608" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42608", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42608" }, { "reference_url": "https://github.com/advisories/GHSA-hmcx-ch82-3fv2", "reference_id": "GHSA-hmcx-ch82-3fv2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hmcx-ch82-3fv2" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-hmcx-ch82-3fv2", "reference_id": "GHSA-hmcx-ch82-3fv2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-11T16:07:43Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-hmcx-ch82-3fv2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373988?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.2" } ], "aliases": [ "CVE-2026-42608", "GHSA-hmcx-ch82-3fv2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9y53-5agq-9yaf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94685?format=api", "vulnerability_id": "VCID-b5ay-jsby-23he", "summary": "This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][metadata], data[header][taxonomy][category], and data[header][taxonomy][tag] parameters. These scripts are stored in the page frontmatter and executed automatically whenever the affected page is accessed or rendered in the administrative interface. This vulnerability is fixed in 1.11.0-beta.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66311", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07316", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07274", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66311" }, { "reference_url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0", "reference_id": "99f653296504f1d6408510dd2f6f20a45a26f9b0", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T15:53:27Z/" } ], "url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66311", "reference_id": "CVE-2025-66311", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66311" }, { "reference_url": "https://github.com/advisories/GHSA-mpjj-4688-3fxg", "reference_id": "GHSA-mpjj-4688-3fxg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mpjj-4688-3fxg" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-mpjj-4688-3fxg", "reference_id": "GHSA-mpjj-4688-3fxg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T15:53:27Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-mpjj-4688-3fxg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35643?format=api", "purl": "pkg:composer/getgrav/grav@1.11.0-beta.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.11.0-beta.1" } ], "aliases": [ "CVE-2025-66311", "GHSA-mpjj-4688-3fxg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b5ay-jsby-23he" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94695?format=api", "vulnerability_id": "VCID-bn3y-7zgs-73ap", "summary": "Grav is a file-based Web platform. Prior to 1.8.0-beta.27, having a simple form on site can reveal the whole Grav configuration details (including plugin configuration details) by using the correct POST payload to exploit a Server-Side Template (SST) vulnerability. Sensitive information may be contained in the configuration details. This vulnerability is fixed in 1.8.0-beta.27.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66298", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0007", "scoring_system": "epss", "scoring_elements": "0.21677", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0007", "scoring_system": "epss", "scoring_elements": "0.21491", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66298" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66298", "reference_id": "CVE-2025-66298", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66298" }, { "reference_url": "https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458", "reference_id": "e37259527d9c1deb6200f8967197a9fa587c6458", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:06:52Z/" } ], "url": "https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458" }, { "reference_url": "https://github.com/advisories/GHSA-8535-hvm8-2hmv", "reference_id": "GHSA-8535-hvm8-2hmv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8535-hvm8-2hmv" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-8535-hvm8-2hmv", "reference_id": "GHSA-8535-hvm8-2hmv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:06:52Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-8535-hvm8-2hmv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35638?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66298", "GHSA-8535-hvm8-2hmv" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bn3y-7zgs-73ap" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67859?format=api", "vulnerability_id": "VCID-bt8c-zfzy-4fbr", "summary": "Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray() from within a page body, dumping the entire merged site configuration — including all plugin secrets (SMTP passwords, AWS keys, OAuth client secrets, API tokens) — into the rendered HTML. No administrator privileges are required. This vulnerability is fixed in 2.0.0-rc.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44738", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11122", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13108", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44738" }, { "reference_url": "https://github.com/getgrav/grav/releases/tag/2.0.0-rc.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/releases/tag/2.0.0-rc.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44738", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44738" }, { "reference_url": "https://github.com/advisories/GHSA-j274-39qw-32c9", "reference_id": "GHSA-j274-39qw-32c9", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j274-39qw-32c9" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-j274-39qw-32c9", "reference_id": "GHSA-j274-39qw-32c9", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T18:04:51Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-j274-39qw-32c9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376016?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-rc.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-rc.2" } ], "aliases": [ "CVE-2026-44738", "GHSA-j274-39qw-32c9" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bt8c-zfzy-4fbr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95019?format=api", "vulnerability_id": "VCID-c8s1-r8sp-nufc", "summary": "grav before v1.7.49.5 has a Stored Cross-Site Scripting (Stored XSS) vulnerability in the page editing functionality. An authenticated low-privileged user with permission to edit content can inject malicious JavaScript payloads into editable fields. The payload is stored on the server and later executed when any other user views or edits the affected page.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66843", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.0774", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07704", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66843" }, { "reference_url": "https://github.com/Yohane-Mashiro/grav_cve/issues/1", "reference_id": "1", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-16T17:33:18Z/" } ], "url": "https://github.com/Yohane-Mashiro/grav_cve/issues/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66843", "reference_id": "CVE-2025-66843", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66843" }, { "reference_url": "https://github.com/advisories/GHSA-mh85-44c2-3m97", "reference_id": "GHSA-mh85-44c2-3m97", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mh85-44c2-3m97" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/887967?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.1" } ], "aliases": [ "CVE-2025-66843", "GHSA-mh85-44c2-3m97" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c8s1-r8sp-nufc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94879?format=api", "vulnerability_id": "VCID-cafd-vta9-efdp", "summary": "Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\\Nijat or ../Nijat), Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain account fields such as email, fullname, twofa_secret, and hashed_password. This vulnerability is fixed in 1.8.0-beta.27.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66295", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.28059", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.2786", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66295" }, { "reference_url": "https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741", "reference_id": "3462d94d575064601689b236508c316242e15741", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:04:26Z/" } ], "url": "https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66295", "reference_id": "CVE-2025-66295", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66295" }, { "reference_url": "https://github.com/advisories/GHSA-h756-wh59-hhjv", "reference_id": "GHSA-h756-wh59-hhjv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h756-wh59-hhjv" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-h756-wh59-hhjv", "reference_id": "GHSA-h756-wh59-hhjv", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:04:26Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-h756-wh59-hhjv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35638?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66295", "GHSA-h756-wh59-hhjv" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cafd-vta9-efdp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94728?format=api", "vulnerability_id": "VCID-dpwj-ft2b-qycu", "summary": "This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][template] parameter. The script is saved within the page's frontmatter and executed automatically whenever the affected content is rendered in the administrative interface or frontend view. This vulnerability is fixed in 1.11.0-beta.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66310", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07316", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07274", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66310" }, { "reference_url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0", "reference_id": "99f653296504f1d6408510dd2f6f20a45a26f9b0", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T16:03:09Z/" } ], "url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66310", "reference_id": "CVE-2025-66310", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66310" }, { "reference_url": "https://github.com/advisories/GHSA-7g78-5g5g-mvfj", "reference_id": "GHSA-7g78-5g5g-mvfj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7g78-5g5g-mvfj" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-7g78-5g5g-mvfj", "reference_id": "GHSA-7g78-5g5g-mvfj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T16:03:09Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-7g78-5g5g-mvfj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35638?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66310", "GHSA-7g78-5g5g-mvfj" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dpwj-ft2b-qycu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359300?format=api", "vulnerability_id": "VCID-dqhd-acxj-huc6", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44737", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00057", "scoring_system": "epss", "scoring_elements": "0.18044", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00062", "scoring_system": "epss", "scoring_elements": "0.19699", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44737" }, { "reference_url": "https://github.com/getgrav/grav-plugin-admin/commit/f67cc18e81d8767bb43d29ee6422c55ed0427803", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav-plugin-admin/commit/f67cc18e81d8767bb43d29ee6422c55ed0427803" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-fmg2-f5r9-24qc", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-fmg2-f5r9-24qc" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44737", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44737" }, { "reference_url": "https://github.com/advisories/GHSA-fmg2-f5r9-24qc", "reference_id": "GHSA-fmg2-f5r9-24qc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fmg2-f5r9-24qc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36214?format=api", "purl": "pkg:composer/getgrav/grav@1.7.49%2B5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.49%252B5" }, { "url": "http://public2.vulnerablecode.io/api/packages/887966?format=api", "purl": "pkg:composer/getgrav/grav@1.7.49.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.49.5" } ], "aliases": [ "CVE-2026-44737", "GHSA-fmg2-f5r9-24qc" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dqhd-acxj-huc6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/306093?format=api", "vulnerability_id": "VCID-e911-hu2t-tfcn", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-5233", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.18828", "scoring_system": "epss", "scoring_elements": "0.95448", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.18828", "scoring_system": "epss", "scoring_elements": "0.95462", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-5233" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5233", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5233" }, { "reference_url": "https://sysdream.com/news/lab/2018-03-15-cve-2018-5233-grav-cms-admin-plugin-reflected-cross-site-scripting-xss-vulnerability", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sysdream.com/news/lab/2018-03-15-cve-2018-5233-grav-cms-admin-plugin-reflected-cross-site-scripting-xss-vulnerability" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2018/03/15/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2018/03/15/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/385831?format=api", "purl": "pkg:composer/getgrav/grav@1.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-54zk-kc4y-q3bk" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6gfu-pghx-sqcp" }, { "vulnerability": "VCID-6jat-2def-zqbc" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-7pjb-q8yn-47cc" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gk7c-d8fy-rbdf" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jjye-gyx1-j3bu" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-k8n9-gaa1-kfd6" }, { "vulnerability": "VCID-k9a3-vmbk-nkbc" }, { "vulnerability": "VCID-kpzg-n1y4-pufs" }, { "vulnerability": "VCID-n21x-za4a-rbe6" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-nznw-cfmj-6bfp" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-q8kr-z94u-gyeb" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r2fp-phnf-9yej" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-rfya-ry5q-2kha" }, { "vulnerability": "VCID-rg23-jtkn-ubga" }, { "vulnerability": "VCID-rs2j-48mj-ruey" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tg5t-vpgm-akdc" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-vudj-pa47-4kfd" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zrw3-291v-n7f5" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.3.0" } ], "aliases": [ "CVE-2018-5233", "GHSA-977g-93f5-rqjx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e911-hu2t-tfcn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70492?format=api", "vulnerability_id": "VCID-fbex-4yyq-jud6", "summary": "Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the \"Direct Install\" tool. While the system attempts to block direct .php file uploads, it fails to inspect the contents of uploaded ZIP archives. Once a malicious plugin is extracted, it can execute arbitrary PHP code or drop a persistent web shell on the server. This vulnerability is fixed in 2.0.0-beta.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42607", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00455", "scoring_system": "epss", "scoring_elements": "0.64273", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00495", "scoring_system": "epss", "scoring_elements": "0.66323", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42607" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42607", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42607" }, { "reference_url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663", "reference_id": "5a12f9be8314682c8713e569e330f11805d0a663", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-12T13:46:17Z/" } ], "url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/52578.py", "reference_id": "CVE-2026-42607", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/52578.py" }, { "reference_url": "https://github.com/advisories/GHSA-w48r-jppp-rcfw", "reference_id": "GHSA-w48r-jppp-rcfw", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w48r-jppp-rcfw" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-w48r-jppp-rcfw", "reference_id": "GHSA-w48r-jppp-rcfw", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-12T13:46:17Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-w48r-jppp-rcfw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373988?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.2" } ], "aliases": [ "CVE-2026-42607", "GHSA-w48r-jppp-rcfw" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fbex-4yyq-jud6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94809?format=api", "vulnerability_id": "VCID-ftuq-vs33-byau", "summary": "This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a user enumeration and email disclosure vulnerability exists in Grav. The \"Forgot Password\" functionality at /admin/forgot leaks information about valid usernames and their associated email addresses through distinct server responses. This allows an attacker to enumerate users and disclose sensitive email addresses, which can be leveraged for targeted attacks such as password spraying, phishing, or social engineering. This vulnerability is fixed in 1.11.0-beta.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66307", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00059", "scoring_system": "epss", "scoring_elements": "0.18912", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00059", "scoring_system": "epss", "scoring_elements": "0.18748", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66307" }, { "reference_url": "https://github.com/getgrav/grav-plugin-admin/blob/6d673fc7c4f6962756f93ae651371e81f7f20924/classes/plugin/Controllers/Login/LoginController.php#L349", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav-plugin-admin/blob/6d673fc7c4f6962756f93ae651371e81f7f20924/classes/plugin/Controllers/Login/LoginController.php#L349" }, { "reference_url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0", "reference_id": "99f653296504f1d6408510dd2f6f20a45a26f9b0", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-02T20:07:49Z/" } ], "url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66307", "reference_id": "CVE-2025-66307", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66307" }, { "reference_url": "https://github.com/advisories/GHSA-q3qx-cp62-f6m7", "reference_id": "GHSA-q3qx-cp62-f6m7", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q3qx-cp62-f6m7" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-q3qx-cp62-f6m7", "reference_id": "GHSA-q3qx-cp62-f6m7", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-02T20:07:49Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-q3qx-cp62-f6m7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35638?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66307", "GHSA-q3qx-cp62-f6m7" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ftuq-vs33-byau" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70534?format=api", "vulnerability_id": "VCID-fuk4-2ad3-gqe8", "summary": "Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image query parameters being converted into callable media actions. The public attribute() media method can be reached this way, allowing an editor to set an arbitrary HTML attribute name and value on the generated image element. This vulnerability is fixed in 2.0.0-beta.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42841", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06784", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07558", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42841" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42841", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42841" }, { "reference_url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663", "reference_id": "5a12f9be8314682c8713e569e330f11805d0a663", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T16:19:03Z/" } ], "url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663" }, { "reference_url": "https://github.com/advisories/GHSA-r7fx-8g49-7hhr", "reference_id": "GHSA-r7fx-8g49-7hhr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r7fx-8g49-7hhr" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-r7fx-8g49-7hhr", "reference_id": "GHSA-r7fx-8g49-7hhr", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T16:19:03Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-r7fx-8g49-7hhr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373988?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.2" } ], "aliases": [ "CVE-2026-42841", "GHSA-r7fx-8g49-7hhr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fuk4-2ad3-gqe8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/142341?format=api", "vulnerability_id": "VCID-gk7c-d8fy-rbdf", "summary": "Grav is a flat-file content management system. Prior to version 1.7.42, there is a logic flaw in the `GravExtension.filterFilter()` function whereby validation against a denylist of unsafe functions is only performed when the argument passed to filter is a string. However, passing an array as a callable argument allows the validation check to be skipped. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. The vulnerability can be found in the `GravExtension.filterFilter()` function declared in `/system/src/Grav/Common/Twig/Extension/GravExtension.php`. Version 1.7.42 contains a patch for this issue. End users should also ensure that `twig.undefined_functions` and `twig.undefined_filters` properties in `/path/to/webroot/system/config/system.yaml` configuration file are set to `false` to disallow Twig from treating undefined filters/functions as PHP functions and executing them.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34252", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00529", "scoring_system": "epss", "scoring_elements": "0.677", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00529", "scoring_system": "epss", "scoring_elements": "0.6761", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34252" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34252", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34252" }, { "reference_url": "https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec", "reference_id": "244758d4383034fe4cd292d41e477177870b65ec", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-12-18T19:02:44Z/" } ], "url": "https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec" }, { "reference_url": "https://github.com/advisories/GHSA-96xv-rmwj-6p9w", "reference_id": "GHSA-96xv-rmwj-6p9w", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-96xv-rmwj-6p9w" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-96xv-rmwj-6p9w", "reference_id": "GHSA-96xv-rmwj-6p9w", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-12-18T19:02:44Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-96xv-rmwj-6p9w" }, { "reference_url": "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Twig/Extension/GravExtension.php#L1692-L1698", "reference_id": "GravExtension.php#L1692-L1698", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-12-18T19:02:44Z/" } ], "url": "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Twig/Extension/GravExtension.php#L1692-L1698" }, { "reference_url": "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1956-L2074", "reference_id": "Utils.php#L1956-L2074", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-12-18T19:02:44Z/" } ], "url": "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1956-L2074" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/381711?format=api", "purl": "pkg:composer/getgrav/grav@1.7.42", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.42" } ], "aliases": [ "CVE-2023-34252", "GHSA-96xv-rmwj-6p9w" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gk7c-d8fy-rbdf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/72181?format=api", "vulnerability_id": "VCID-gted-pwjh-xfbf", "summary": "A vulnerability was found in Grav CMS up to 1.7.49.5/2.0.0-beta.1. Affected by this vulnerability is the function FileCache::doGet of the file system/src/Grav/Framework/Cache/Adapter/FileCache.php of the component Cache Value Handler. The manipulation results in deserialization. The attack may be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made public and could be used. Upgrading to version 2.0.0-beta.2 addresses this issue. The patch is identified as c66dfeb5f. The affected component should be upgraded.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-7317", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00066", "scoring_system": "epss", "scoring_elements": "0.20524", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00066", "scoring_system": "epss", "scoring_elements": "0.20702", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-7317" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7317", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7317" }, { "reference_url": "https://vuldb.com/vuln/359965", "reference_id": "359965", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C" }, { "value": "5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C" }, { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:59:03Z/" } ], "url": "https://vuldb.com/vuln/359965" }, { "reference_url": "https://vuldb.com/submit/798732", "reference_id": "798732", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C" }, { "value": "5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C" }, { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:59:03Z/" } ], "url": "https://vuldb.com/submit/798732" }, { "reference_url": "https://github.com/getgrav/grav/commit/c66dfeb5f", "reference_id": "c66dfeb5f", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C" }, { "value": "5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C" }, { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:59:03Z/" } ], "url": "https://github.com/getgrav/grav/commit/c66dfeb5f" }, { "reference_url": "https://vuldb.com/vuln/359965/cti", "reference_id": "cti", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C" }, { "value": "5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C" }, { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:59:03Z/" } ], "url": "https://vuldb.com/vuln/359965/cti" }, { "reference_url": "https://github.com/advisories/GHSA-gwfr-jfjf-92vv", "reference_id": "GHSA-gwfr-jfjf-92vv", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gwfr-jfjf-92vv" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-gwfr-jfjf-92vv", "reference_id": "GHSA-gwfr-jfjf-92vv", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C" }, { "value": "5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C" }, { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:59:03Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-gwfr-jfjf-92vv" }, { "reference_url": "https://github.com/devsamuelsantiago/grav-cms-filecache-object-injection", "reference_id": "grav-cms-filecache-object-injection", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C" }, { "value": "5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C" }, { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:59:03Z/" } ], "url": "https://github.com/devsamuelsantiago/grav-cms-filecache-object-injection" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373988?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.2" } ], "aliases": [ "CVE-2026-7317", "GHSA-gwfr-jfjf-92vv" ], "risk_score": 2.2, "exploitability": "0.5", "weighted_severity": "4.5", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gted-pwjh-xfbf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94994?format=api", "vulnerability_id": "VCID-hcnz-nxwp-ykfv", "summary": "Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a privilege escalation vulnerability exists in Grav’s Admin plugin due to the absence of username uniqueness validation when creating users. A user with the create user permission can create a new account using the same username as an existing administrator account, set a new password/email, and then log in as that administrator. This effectively allows privilege escalation from limited user-manager permissions to full administrator access. This vulnerability is fixed in 1.8.0-beta.27.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66296", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00062", "scoring_system": "epss", "scoring_elements": "0.19831", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00062", "scoring_system": "epss", "scoring_elements": "0.19656", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66296" }, { "reference_url": "https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741", "reference_id": "3462d94d575064601689b236508c316242e15741", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-12-02T14:05:57Z/" } ], "url": "https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66296", "reference_id": "CVE-2025-66296", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66296" }, { "reference_url": "https://github.com/advisories/GHSA-cjcp-qxvg-4rjm", "reference_id": "GHSA-cjcp-qxvg-4rjm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cjcp-qxvg-4rjm" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-cjcp-qxvg-4rjm", "reference_id": "GHSA-cjcp-qxvg-4rjm", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-12-02T14:05:57Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-cjcp-qxvg-4rjm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35638?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66296", "GHSA-cjcp-qxvg-4rjm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hcnz-nxwp-ykfv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/207568?format=api", "vulnerability_id": "VCID-jjye-gyx1-j3bu", "summary": "Cross-site Scripting in grav", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0268", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00266", "scoring_system": "epss", "scoring_elements": "0.50533", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00266", "scoring_system": "epss", "scoring_elements": "0.504", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0268" }, { "reference_url": "https://github.com/getgrav/grav/commit/6f2fa9311afb9ecd34030dec2aff7b39e9e7e735", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/6f2fa9311afb9ecd34030dec2aff7b39e9e7e735" }, { "reference_url": "https://huntr.dev/bounties/67085545-331e-4469-90f3-a1a46a078d39", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.dev/bounties/67085545-331e-4469-90f3-a1a46a078d39" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0268", "reference_id": "CVE-2022-0268", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0268" }, { "reference_url": "https://github.com/advisories/GHSA-735v-wx75-xmmm", "reference_id": "GHSA-735v-wx75-xmmm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-735v-wx75-xmmm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/18853?format=api", "purl": "pkg:composer/getgrav/grav@1.7.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6jat-2def-zqbc" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-7pjb-q8yn-47cc" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gk7c-d8fy-rbdf" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-k8n9-gaa1-kfd6" }, { "vulnerability": "VCID-k9a3-vmbk-nkbc" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-nznw-cfmj-6bfp" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r2fp-phnf-9yej" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-rg23-jtkn-ubga" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.28" } ], "aliases": [ "CVE-2022-0268", "GHSA-735v-wx75-xmmm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jjye-gyx1-j3bu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91266?format=api", "vulnerability_id": "VCID-jv8r-d9h7-vubf", "summary": "Grav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize <script> tags, allowing stored XSS payloads to execute when pages are viewed in the admin interface.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-65186", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.1026", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10211", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-65186" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65186", "reference_id": "CVE-2025-65186", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65186" }, { "reference_url": "https://github.com/lukehebe/Vulnerability-Disclosures/blob/main/CVE-2025-65186.pdf", "reference_id": "CVE-2025-65186.pdf", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T19:31:02Z/" } ], "url": "https://github.com/lukehebe/Vulnerability-Disclosures/blob/main/CVE-2025-65186.pdf" }, { "reference_url": "https://github.com/advisories/GHSA-cchq-397m-q2qm", "reference_id": "GHSA-cchq-397m-q2qm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cchq-397m-q2qm" }, { "reference_url": "https://github.com/getgrav/grav", "reference_id": "grav", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T19:31:02Z/" } ], "url": "https://github.com/getgrav/grav" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/887962?format=api", "purl": "pkg:composer/getgrav/grav@1.7.49.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.49.1" } ], "aliases": [ "CVE-2025-65186", "GHSA-cchq-397m-q2qm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jv8r-d9h7-vubf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/208324?format=api", "vulnerability_id": "VCID-k8n9-gaa1-kfd6", "summary": "Cross site scripting in getgrav/grav", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0743", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00281", "scoring_system": "epss", "scoring_elements": "0.51979", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00281", "scoring_system": "epss", "scoring_elements": "0.51849", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0743" }, { "reference_url": "https://github.com/getgrav/grav/commit/3dd0cabeac9835fe64dcb4b68c658b39f1f6be2f", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/3dd0cabeac9835fe64dcb4b68c658b39f1f6be2f" }, { "reference_url": "https://huntr.dev/bounties/32ea4ddb-5b41-4bf9-b5a1-ef455fe2d293", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.dev/bounties/32ea4ddb-5b41-4bf9-b5a1-ef455fe2d293" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0743", "reference_id": "CVE-2022-0743", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0743" }, { "reference_url": "https://github.com/advisories/GHSA-2p89-ppc2-mrq4", "reference_id": "GHSA-2p89-ppc2-mrq4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2p89-ppc2-mrq4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19545?format=api", "purl": "pkg:composer/getgrav/grav@1.7.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-7pjb-q8yn-47cc" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gk7c-d8fy-rbdf" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-k9a3-vmbk-nkbc" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-nznw-cfmj-6bfp" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r2fp-phnf-9yej" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-rg23-jtkn-ubga" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.31" } ], "aliases": [ "CVE-2022-0743", "GHSA-2p89-ppc2-mrq4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k8n9-gaa1-kfd6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/209002?format=api", "vulnerability_id": "VCID-k9a3-vmbk-nkbc", "summary": "Stored cross site scripting in getgrav/grav", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1173", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00352", "scoring_system": "epss", "scoring_elements": "0.58138", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00352", "scoring_system": "epss", "scoring_elements": "0.58025", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1173" }, { "reference_url": "https://github.com/getgrav/grav/commit/1c0ed43afa5dc14169e6aa693b38e1a2f7aecad9", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/1c0ed43afa5dc14169e6aa693b38e1a2f7aecad9" }, { "reference_url": "https://huntr.dev/bounties/b6016e95-9f48-4945-89cb-199b6e072218", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.dev/bounties/b6016e95-9f48-4945-89cb-199b6e072218" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1173", "reference_id": "CVE-2022-1173", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1173" }, { "reference_url": "https://github.com/advisories/GHSA-3p5m-j98p-c698", "reference_id": "GHSA-3p5m-j98p-c698", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3p5m-j98p-c698" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/20310?format=api", "purl": "pkg:composer/getgrav/grav@1.7.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-7pjb-q8yn-47cc" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gk7c-d8fy-rbdf" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-nznw-cfmj-6bfp" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r2fp-phnf-9yej" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-rg23-jtkn-ubga" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.33" } ], "aliases": [ "CVE-2022-1173", "GHSA-3p5m-j98p-c698" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k9a3-vmbk-nkbc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/343276?format=api", "vulnerability_id": "VCID-kpzg-n1y4-pufs", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3818", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00294", "scoring_system": "epss", "scoring_elements": "0.53101", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00294", "scoring_system": "epss", "scoring_elements": "0.53229", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3818" }, { "reference_url": "https://github.com/getgrav/grav/commit/c51fb1779b83f620c0b6f3548d4a96322b55df07", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/c51fb1779b83f620c0b6f3548d4a96322b55df07" }, { "reference_url": "https://huntr.dev/bounties/c2bc65af-7b93-4020-886e-8cdaeb0a58ea", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.dev/bounties/c2bc65af-7b93-4020-886e-8cdaeb0a58ea" }, { "reference_url": "https://github.com/advisories/GHSA-cg3q-59w7-rvc2", "reference_id": "GHSA-cg3q-59w7-rvc2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cg3q-59w7-rvc2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/382674?format=api", "purl": "pkg:composer/getgrav/grav@1.7.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6jat-2def-zqbc" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-7pjb-q8yn-47cc" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gk7c-d8fy-rbdf" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jjye-gyx1-j3bu" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-k8n9-gaa1-kfd6" }, { "vulnerability": "VCID-k9a3-vmbk-nkbc" }, { "vulnerability": "VCID-n21x-za4a-rbe6" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-nznw-cfmj-6bfp" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r2fp-phnf-9yej" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-rg23-jtkn-ubga" }, { "vulnerability": "VCID-rs2j-48mj-ruey" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.21" } ], "aliases": [ "CVE-2021-3818", "GHSA-cg3q-59w7-rvc2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kpzg-n1y4-pufs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/343310?format=api", "vulnerability_id": "VCID-n21x-za4a-rbe6", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3904", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49829", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49965", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3904" }, { "reference_url": "https://github.com/getgrav/grav/commit/afc69a3229bb6fe120b2c1ea27bc6f196ed7284d", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/afc69a3229bb6fe120b2c1ea27bc6f196ed7284d" }, { "reference_url": "https://huntr.dev/bounties/b1182515-d911-4da9-b4f7-b4c341a62a8d", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.dev/bounties/b1182515-d911-4da9-b4f7-b4c341a62a8d" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3904", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3904" }, { "reference_url": "https://github.com/advisories/GHSA-5jxc-hmqf-3f73", "reference_id": "GHSA-5jxc-hmqf-3f73", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5jxc-hmqf-3f73" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/383129?format=api", "purl": "pkg:composer/getgrav/grav@1.7.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6jat-2def-zqbc" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-7pjb-q8yn-47cc" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gk7c-d8fy-rbdf" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jjye-gyx1-j3bu" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-k8n9-gaa1-kfd6" }, { "vulnerability": "VCID-k9a3-vmbk-nkbc" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-nznw-cfmj-6bfp" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r2fp-phnf-9yej" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-rg23-jtkn-ubga" }, { "vulnerability": "VCID-rs2j-48mj-ruey" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.24" } ], "aliases": [ "CVE-2021-3904", "GHSA-5jxc-hmqf-3f73" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n21x-za4a-rbe6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360399?format=api", "vulnerability_id": "VCID-n873-y6ex-pqh2", "summary": "Grav is Vulnerable to XXE via SVG Upload\nDear Grav Security Team,\n\nA security vulnerability was discovered in Grav CMS that allows authenticated attackers to read arbitrary files from the server through XML External Entity (XXE) injection.\n\n Vulnerability Summary\n\n| Field | Details |\n|-------|---------|\n| Vulnerability Type | XML External Entity (XXE) Injection |\n| Severity | High (CVSS 7.5) |\n| Affected Versions | Grav CMS <= 1.7.x |\n| Affected Component | SVG file upload/processing |\n| CWE | CWE-611: Improper Restriction of XML External Entity Reference |\n| Authentication Required | Yes (Admin panel access) |\n\nTechnical Details\n\n Root Cause\nThe application uses `simplexml_load_string()` to process uploaded SVG files without disabling external entity loading. This allows attackers to inject XXE payloads that are processed by the XML parser.\n\n Vulnerable Code Pattern\n```php\n// Current (Vulnerable):\n$svg = simplexml_load_string($content);\n\n// No LIBXML_NOENT flag or entity loader protection\n```\n\n Attack Vector\n1. Attacker authenticates to Grav admin panel\n2. Uploads malicious SVG file via Pages → Media or File Manager plugin\n3. Server parses SVG and processes XXE entities\n4. Arbitrary file contents are exfiltrated\n\n Impact\n\nAn authenticated attacker can:\n\n1. Read sensitive files:\n - `/etc/passwd` - System user information\n - `user/accounts/*.yaml` - Admin credentials and 2FA secrets\n - `user/config/system.yaml` - System configuration\n - `.env` files - Environment secrets and API keys\n\n2. Perform SSRF - Access internal services via external entity URLs\n\n3. Potential DoS - Billion laughs attack via recursive entity expansion\n\nProof of Concept\n\n Malicious SVG Payload\n```xml\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE svg [\n <!ENTITY xxe SYSTEM \"file:///etc/passwd\">\n]>\n<svg xmlns=\"http://www.w3.org/2000/svg\" width=\"100\" height=\"100\">\n <text x=\"10\" y=\"50\">&xxe;</text>\n</svg>\n```\n\n Steps to Reproduce\n1. Login to Grav CMS admin panel\n2. Navigate to Pages → select any page → Media tab\n3. Upload the malicious SVG file\n4. Observe file contents in response/error or stored output\n\n Recommended Fix\n\n Option 1: Add XXE Protection Flags\n```php\nlibxml_use_internal_errors(true);\n$svg = simplexml_load_string($content, 'SimpleXMLElement', LIBXML_NOENT | LIBXML_DTDLOAD);\n```\n\n Option 2: Use SVG Sanitizer Library (Recommended)\n```php\nuse enshrined\\svgSanitize\\Sanitizer;\n\n$sanitizer = new Sanitizer();\n$sanitizer->removeRemoteReferences(true);\n$cleanSVG = $sanitizer->sanitize($content);\n```\n\nThe `enshrined/svg-sanitize` library properly strips XXE payloads and other malicious SVG content.\n\n Request\n\n1. Please acknowledge receipt of this report within 5 business days\n2. Please provide an estimated timeline for a security patch\n3. I am happy to assist with testing the fix\n4. I request a CVE be assigned for this vulnerability\n5. If you have a security advisory process, please include me in the credits\n\nTurki Almatrafi.\n\n\n\n---\n\n## Maintainer note — fix applied (2026-04-24)\n\nFixed across two repos:\n\n1. **Grav core on the `2.0` branch** (commit [`5a12f9be8`](https://github.com/getgrav/grav/commit/5a12f9be8), ships in **2.0.0-beta.2**) — `VectorImageMedium::__construct` (the code path that reads width/height from an uploaded SVG) now strips `<!DOCTYPE>` and `<!ENTITY>` declarations before parsing, and calls `simplexml_load_string` with `LIBXML_NONET | LIBXML_NOERROR | LIBXML_NOWARNING`. On PHP < 8 it also calls `libxml_disable_entity_loader(true)` for the duration of the parse.\n\n2. **rhukster/dom-sanitizer** (commit [`02d08ec`](https://github.com/rhukster/dom-sanitizer/commit/02d08ec)) — the library Grav ships as its SVG sanitizer. `loadDocument` now applies the same DOCTYPE/ENTITY strip and passes `LIBXML_NONET` to `loadXML`/`loadHTML`.\n\nWith both layers in place, the PoC:\n\n```xml\n<!DOCTYPE svg [\n <!ENTITY xxe SYSTEM \"file:///etc/passwd\">\n]>\n<svg xmlns=\"http://www.w3.org/2000/svg\" width=\"100\" height=\"100\">\n <text x=\"10\" y=\"50\">&xxe;</text>\n</svg>\n```\n\nno longer expands `&xxe;`, and the parser cannot make outbound filesystem or network requests for external entities/DTDs. Billion-laughs-style entity expansion is also neutralized because the declarations are stripped before libxml ever sees them.\n\n**Files:**\n- [`system/src/Grav/Common/Page/Medium/VectorImageMedium.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Page/Medium/VectorImageMedium.php).\n- [`tests/unit/Grav/Common/Security/SvgXxeSecurityTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/SvgXxeSecurityTest.php) — XXE neutralization + billion-laughs + plain-SVG regression.\n- dom-sanitizer: [`src/DOMSanitizer.php`](https://github.com/rhukster/dom-sanitizer/blob/main/src/DOMSanitizer.php) + two new XXE tests in its own suite.", "references": [ { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-3446-6mgw-f79p", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-3446-6mgw-f79p" }, { "reference_url": "https://github.com/advisories/GHSA-3446-6mgw-f79p", "reference_id": "GHSA-3446-6mgw-f79p", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3446-6mgw-f79p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373988?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.2" } ], "aliases": [ "GHSA-3446-6mgw-f79p" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n873-y6ex-pqh2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44215?format=api", "vulnerability_id": "VCID-nbat-7pjr-d3e1", "summary": "A cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35498", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00152", "scoring_system": "epss", "scoring_elements": "0.35679", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00152", "scoring_system": "epss", "scoring_elements": "0.35859", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35498" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35498", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35498" }, { "reference_url": "https://r4vanan.medium.com/a-quick-dive-into-xss-vulnerability-in-grav-cms-v1-7-45-cve-2024-35498-fc236b7d74a0", "reference_id": "a-quick-dive-into-xss-vulnerability-in-grav-cms-v1-7-45-cve-2024-35498-fc236b7d74a0", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T15:42:33Z/" } ], "url": "https://r4vanan.medium.com/a-quick-dive-into-xss-vulnerability-in-grav-cms-v1-7-45-cve-2024-35498-fc236b7d74a0" }, { "reference_url": "https://github.com/advisories/GHSA-m78c-qx99-mvw9", "reference_id": "GHSA-m78c-qx99-mvw9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-m78c-qx99-mvw9" }, { "reference_url": "https://github.com/r4vanan/Stored-xss-Grav-v1.7.45", "reference_id": "Stored-xss-Grav-v1.7.45", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T15:42:33Z/" } ], "url": "https://github.com/r4vanan/Stored-xss-Grav-v1.7.45" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31190?format=api", "purl": "pkg:composer/getgrav/grav@1.7.46", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.46" } ], "aliases": [ "CVE-2024-35498", "GHSA-m78c-qx99-mvw9" ], "risk_score": 2.8, "exploitability": "0.5", "weighted_severity": "5.5", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nbat-7pjr-d3e1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/142303?format=api", "vulnerability_id": "VCID-nznw-cfmj-6bfp", "summary": "Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. A patch in version 1.7.42 improves the denylist.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34253", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02104", "scoring_system": "epss", "scoring_elements": "0.84503", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.02104", "scoring_system": "epss", "scoring_elements": "0.84447", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34253" }, { "reference_url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34253", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34253" }, { "reference_url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/", "reference_id": "3ef640e6-9e25-4ecb-8ec1-64311d63fe66", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:39:27Z/" } ], "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/" }, { "reference_url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b", "reference_id": "71bbed12f950de8335006d7f91112263d8504f1b", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:39:27Z/" } ], "url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b" }, { "reference_url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83", "reference_id": "9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:39:27Z/" } ], "url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83" }, { "reference_url": "https://github.com/advisories/GHSA-j3v8-v77f-fvgm", "reference_id": "GHSA-j3v8-v77f-fvgm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j3v8-v77f-fvgm" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm", "reference_id": "GHSA-j3v8-v77f-fvgm", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:39:27Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm" }, { "reference_url": "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190", "reference_id": "Utils.php#L1952-L2190", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:39:27Z/" } ], "url": "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/381711?format=api", "purl": "pkg:composer/getgrav/grav@1.7.42", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.42" } ], "aliases": [ "CVE-2023-34253", "GHSA-j3v8-v77f-fvgm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nznw-cfmj-6bfp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94967?format=api", "vulnerability_id": "VCID-p82r-r27b-kqfs", "summary": "Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A path traversal vulnerability has been identified in Grav CMS, allowing authenticated attackers with administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due to insufficient input sanitization in the backup tool, where user-supplied paths are not properly restricted, enabling access to files outside the intended webroot directory. The impact of this vulnerability depends on the privileges of the user account running the application. This vulnerability is fixed in 1.8.0-beta.27.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66302", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20355", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20179", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66302" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66302", "reference_id": "CVE-2025-66302", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66302" }, { "reference_url": "https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee", "reference_id": "ed640a13143c4177af013cf001969ed2c5e197ee", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-03T15:11:05Z/" } ], "url": "https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee" }, { "reference_url": "https://github.com/advisories/GHSA-j422-qmxp-hv94", "reference_id": "GHSA-j422-qmxp-hv94", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j422-qmxp-hv94" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-j422-qmxp-hv94", "reference_id": "GHSA-j422-qmxp-hv94", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-03T15:11:05Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-j422-qmxp-hv94" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35638?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66302", "GHSA-j422-qmxp-hv94" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p82r-r27b-kqfs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70411?format=api", "vulnerability_id": "VCID-pdbb-zdxf-tyck", "summary": "Grav is a file-based Web platform. Prior to 2.0.0-beta.2, the Login::register() method in the Login plugin accepts attacker-controlled groups and access fields from the registration POST data without server-side validation. When registration is enabled and groups or access are included in the configured allowed fields list, an unauthenticated user can self-register with admin.super privileges by injecting these fields into the registration request. This vulnerability is fixed in 2.0.0-beta.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42613", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06641", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10048", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42613" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42613", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42613" }, { "reference_url": "https://github.com/getgrav/grav-plugin-login/commit/3d419a0dabd70aed1fd49afcd5919004a4141da1", "reference_id": "3d419a0dabd70aed1fd49afcd5919004a4141da1", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-12T13:47:25Z/" } ], "url": "https://github.com/getgrav/grav-plugin-login/commit/3d419a0dabd70aed1fd49afcd5919004a4141da1" }, { "reference_url": "https://github.com/advisories/GHSA-pxm6-mhxr-q4mj", "reference_id": "GHSA-pxm6-mhxr-q4mj", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pxm6-mhxr-q4mj" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-pxm6-mhxr-q4mj", "reference_id": "GHSA-pxm6-mhxr-q4mj", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-12T13:47:25Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-pxm6-mhxr-q4mj" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-w48r-jppp-rcfw", "reference_id": "GHSA-w48r-jppp-rcfw", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-w48r-jppp-rcfw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373988?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.2" } ], "aliases": [ "CVE-2026-42613", "GHSA-pxm6-mhxr-q4mj" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pdbb-zdxf-tyck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/338531?format=api", "vulnerability_id": "VCID-q8kr-z94u-gyeb", "summary": "", "references": [ { "reference_url": "http://packetstormsecurity.com/files/162987/Grav-CMS-1.7.10-Server-Side-Template-Injection.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://packetstormsecurity.com/files/162987/Grav-CMS-1.7.10-Server-Side-Template-Injection.html" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-29440", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.11163", "scoring_system": "epss", "scoring_elements": "0.93658", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.11163", "scoring_system": "epss", "scoring_elements": "0.93678", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-29440" }, { "reference_url": "https://blog.sonarsource.com/grav-cms-code-execution-vulnerabilities", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://blog.sonarsource.com/grav-cms-code-execution-vulnerabilities" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-g8r4-p96j-xfxc", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-g8r4-p96j-xfxc" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29440", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29440" }, { "reference_url": "https://packagist.org/packages/getgrav/grav", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packagist.org/packages/getgrav/grav" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/49961.py", "reference_id": "CVE-2021-29440", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/49961.py" }, { "reference_url": "https://github.com/advisories/GHSA-g8r4-p96j-xfxc", "reference_id": "GHSA-g8r4-p96j-xfxc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g8r4-p96j-xfxc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/382278?format=api", "purl": "pkg:composer/getgrav/grav@1.7.11", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/497800?format=api", "purl": "pkg:composer/getgrav/grav@1.7.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6jat-2def-zqbc" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-7pjb-q8yn-47cc" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gk7c-d8fy-rbdf" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jjye-gyx1-j3bu" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-k8n9-gaa1-kfd6" }, { "vulnerability": "VCID-k9a3-vmbk-nkbc" }, { "vulnerability": "VCID-kpzg-n1y4-pufs" }, { "vulnerability": "VCID-n21x-za4a-rbe6" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-nznw-cfmj-6bfp" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r2fp-phnf-9yej" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-rg23-jtkn-ubga" }, { "vulnerability": "VCID-rs2j-48mj-ruey" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.12" } ], "aliases": [ "CVE-2021-29440", "GHSA-g8r4-p96j-xfxc" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q8kr-z94u-gyeb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94703?format=api", "vulnerability_id": "VCID-qk5j-hmd2-e7ap", "summary": "Grav is a file-based Web platform. Prior to 1.8.0-beta.27, users with read access on the user account management section of the admin panel can view the password hashes of all users, including the admin user. This exposure can potentially lead to privilege escalation if an attacker can crack these password hashes. This vulnerability is fixed in 1.8.0-beta.27.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66304", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00071", "scoring_system": "epss", "scoring_elements": "0.21915", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00071", "scoring_system": "epss", "scoring_elements": "0.21727", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66304" }, { "reference_url": "https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7", "reference_id": "9d11094e4133f059688fad1e00dbe96fb6e3ead7", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-12-02T20:15:09Z/" } ], "url": "https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66304", "reference_id": "CVE-2025-66304", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66304" }, { "reference_url": "https://github.com/advisories/GHSA-gq3g-666w-7h85", "reference_id": "GHSA-gq3g-666w-7h85", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gq3g-666w-7h85" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-gq3g-666w-7h85", "reference_id": "GHSA-gq3g-666w-7h85", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-12-02T20:15:09Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-gq3g-666w-7h85" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35638?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66304", "GHSA-gq3g-666w-7h85" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qk5j-hmd2-e7ap" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/210937?format=api", "vulnerability_id": "VCID-r2fp-phnf-9yej", "summary": "Code injection in grav", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2073", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00213", "scoring_system": "epss", "scoring_elements": "0.44076", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00213", "scoring_system": "epss", "scoring_elements": "0.43921", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2073" }, { "reference_url": "https://github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83" }, { "reference_url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2073", "reference_id": "CVE-2022-2073", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2073" }, { "reference_url": "https://github.com/advisories/GHSA-cxgw-r5jg-7xwq", "reference_id": "GHSA-cxgw-r5jg-7xwq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cxgw-r5jg-7xwq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/25128?format=api", "purl": "pkg:composer/getgrav/grav@1.7.34", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-7pjb-q8yn-47cc" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gk7c-d8fy-rbdf" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-nznw-cfmj-6bfp" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-rg23-jtkn-ubga" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.34" } ], "aliases": [ "CVE-2022-2073", "GHSA-cxgw-r5jg-7xwq" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r2fp-phnf-9yej" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70663?format=api", "vulnerability_id": "VCID-r3sd-5k16-r3c4", "summary": "Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account's metadata and permissions instead of rejecting the request. This leads to a Denial of Service (DoS) on administrative functions and Privilege De-escalation of the root account. This vulnerability is fixed in 2.0.0-beta.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42609", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12835", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.15212", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42609" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42609", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42609" }, { "reference_url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663", "reference_id": "5a12f9be8314682c8713e569e330f11805d0a663", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T17:56:12Z/" } ], "url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663" }, { "reference_url": "https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47", "reference_id": "c66dfeb5ff679a1667678c6335eb9ff3255dfc47", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T17:56:12Z/" } ], "url": "https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47" }, { "reference_url": "https://github.com/getgrav/grav/commit/d904efc33e03ebb597afde8d3368b28cf0423632", "reference_id": "d904efc33e03ebb597afde8d3368b28cf0423632", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T17:56:12Z/" } ], "url": "https://github.com/getgrav/grav/commit/d904efc33e03ebb597afde8d3368b28cf0423632" }, { "reference_url": "https://github.com/advisories/GHSA-rr73-568v-28f8", "reference_id": "GHSA-rr73-568v-28f8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rr73-568v-28f8" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-rr73-568v-28f8", "reference_id": "GHSA-rr73-568v-28f8", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T17:56:12Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-rr73-568v-28f8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373988?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.2" } ], "aliases": [ "CVE-2026-42609", "GHSA-rr73-568v-28f8" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r3sd-5k16-r3c4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/210352?format=api", "vulnerability_id": "VCID-rfya-ry5q-2kha", "summary": "Grav CMS Local File Injection", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-29556", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00105", "scoring_system": "epss", "scoring_elements": "0.28034", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00105", "scoring_system": "epss", "scoring_elements": "0.28232", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-29556" }, { "reference_url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav", "reference_id": "CVE-2020-29553-CVE-2020-29555-CVE-2020-29556-MULTIPLE-VULNERABILITIES-WITHIN-CMS-GRAV", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29556", "reference_id": "CVE-2020-29556", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29556" }, { "reference_url": "https://github.com/advisories/GHSA-r3rg-jrjq-w4mr", "reference_id": "GHSA-r3rg-jrjq-w4mr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r3rg-jrjq-w4mr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/23160?format=api", "purl": "pkg:composer/getgrav/grav@1.6.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6jat-2def-zqbc" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-7pjb-q8yn-47cc" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gk7c-d8fy-rbdf" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jjye-gyx1-j3bu" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-k8n9-gaa1-kfd6" }, { "vulnerability": "VCID-k9a3-vmbk-nkbc" }, { "vulnerability": "VCID-kpzg-n1y4-pufs" }, { "vulnerability": "VCID-n21x-za4a-rbe6" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-nznw-cfmj-6bfp" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-q8kr-z94u-gyeb" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r2fp-phnf-9yej" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-rfya-ry5q-2kha" }, { "vulnerability": "VCID-rg23-jtkn-ubga" }, { "vulnerability": "VCID-rs2j-48mj-ruey" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tg5t-vpgm-akdc" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zrw3-291v-n7f5" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.6.30" }, { "url": "http://public2.vulnerablecode.io/api/packages/491084?format=api", "purl": "pkg:composer/getgrav/grav@1.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6jat-2def-zqbc" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-7pjb-q8yn-47cc" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gk7c-d8fy-rbdf" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jjye-gyx1-j3bu" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-k8n9-gaa1-kfd6" }, { "vulnerability": "VCID-k9a3-vmbk-nkbc" }, { "vulnerability": "VCID-kpzg-n1y4-pufs" }, { "vulnerability": "VCID-n21x-za4a-rbe6" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-nznw-cfmj-6bfp" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-q8kr-z94u-gyeb" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r2fp-phnf-9yej" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-rg23-jtkn-ubga" }, { "vulnerability": "VCID-rs2j-48mj-ruey" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tg5t-vpgm-akdc" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.0" } ], "aliases": [ "CVE-2020-29556", "GHSA-r3rg-jrjq-w4mr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rfya-ry5q-2kha" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/142070?format=api", "vulnerability_id": "VCID-rg23-jtkn-ubga", "summary": "Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34251", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02554", "scoring_system": "epss", "scoring_elements": "0.85823", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.02554", "scoring_system": "epss", "scoring_elements": "0.85873", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34251" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34251", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34251" }, { "reference_url": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5", "reference_id": "9d01140a63c77075ef09b26ef57cf186138151a5", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-27T16:52:48Z/" } ], "url": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5" }, { "reference_url": "https://github.com/advisories/GHSA-f9jf-4cp4-4fq5", "reference_id": "GHSA-f9jf-4cp4-4fq5", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f9jf-4cp4-4fq5" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5", "reference_id": "GHSA-f9jf-4cp4-4fq5", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-27T16:52:48Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5" }, { "reference_url": "https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174", "reference_id": "GravExtension.php#L174", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-27T16:52:48Z/" } ], "url": "https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/381711?format=api", "purl": "pkg:composer/getgrav/grav@1.7.42", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.42" } ], "aliases": [ "CVE-2023-34251", "GHSA-f9jf-4cp4-4fq5" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rg23-jtkn-ubga" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/343316?format=api", "vulnerability_id": "VCID-rs2j-48mj-ruey", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3924", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00975", "scoring_system": "epss", "scoring_elements": "0.77107", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00975", "scoring_system": "epss", "scoring_elements": "0.77178", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3924" }, { "reference_url": "https://github.com/getgrav/grav/commit/8f9c417c04b89dc8d2de60b95e7696821b2826ce", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/commit/8f9c417c04b89dc8d2de60b95e7696821b2826ce" }, { "reference_url": "https://huntr.dev/bounties/7ca13522-d0c9-4eff-a7dd-6fd1a7f205a2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.dev/bounties/7ca13522-d0c9-4eff-a7dd-6fd1a7f205a2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3924", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3924" }, { "reference_url": "https://github.com/advisories/GHSA-8c5p-4362-9333", "reference_id": "GHSA-8c5p-4362-9333", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8c5p-4362-9333" } ], "fixed_packages": [], "aliases": [ "CVE-2021-3924", "GHSA-8c5p-4362-9333" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rs2j-48mj-ruey" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94761?format=api", "vulnerability_id": "VCID-sjgs-kpjt-akb7", "summary": "In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig and the configuration allows undefined PHP functions to be registered", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66844", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.18017", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17857", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66844" }, { "reference_url": "https://github.com/Yohane-Mashiro/grav_cve/issues/2", "reference_id": "2", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-16T15:32:54Z/" } ], "url": "https://github.com/Yohane-Mashiro/grav_cve/issues/2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66844", "reference_id": "CVE-2025-66844", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66844" }, { "reference_url": "https://github.com/advisories/GHSA-729w-j79f-2c34", "reference_id": "GHSA-729w-j79f-2c34", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-729w-j79f-2c34" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/887967?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.1" } ], "aliases": [ "CVE-2025-66844", "GHSA-729w-j79f-2c34" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sjgs-kpjt-akb7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/210354?format=api", "vulnerability_id": "VCID-tg5t-vpgm-akdc", "summary": "Grav CMS Cross-Site Request Forgery (CSRF)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-29553", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00152", "scoring_system": "epss", "scoring_elements": "0.35701", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00152", "scoring_system": "epss", "scoring_elements": "0.35881", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-29553" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29553", "reference_id": "CVE-2020-29553", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29553" }, { "reference_url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav", "reference_id": "CVE-2020-29553-CVE-2020-29555-CVE-2020-29556-MULTIPLE-VULNERABILITIES-WITHIN-CMS-GRAV", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav" }, { "reference_url": "https://github.com/advisories/GHSA-fqff-vcvx-68h3", "reference_id": "GHSA-fqff-vcvx-68h3", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fqff-vcvx-68h3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/23160?format=api", "purl": "pkg:composer/getgrav/grav@1.6.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6jat-2def-zqbc" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-7pjb-q8yn-47cc" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gk7c-d8fy-rbdf" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jjye-gyx1-j3bu" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-k8n9-gaa1-kfd6" }, { "vulnerability": "VCID-k9a3-vmbk-nkbc" }, { "vulnerability": "VCID-kpzg-n1y4-pufs" }, { "vulnerability": "VCID-n21x-za4a-rbe6" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-nznw-cfmj-6bfp" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-q8kr-z94u-gyeb" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r2fp-phnf-9yej" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-rfya-ry5q-2kha" }, { "vulnerability": "VCID-rg23-jtkn-ubga" }, { "vulnerability": "VCID-rs2j-48mj-ruey" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tg5t-vpgm-akdc" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zrw3-291v-n7f5" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.6.30" }, { "url": "http://public2.vulnerablecode.io/api/packages/23161?format=api", "purl": "pkg:composer/getgrav/grav@1.7.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6jat-2def-zqbc" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-7pjb-q8yn-47cc" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gk7c-d8fy-rbdf" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jjye-gyx1-j3bu" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-k8n9-gaa1-kfd6" }, { "vulnerability": "VCID-k9a3-vmbk-nkbc" }, { "vulnerability": "VCID-kpzg-n1y4-pufs" }, { "vulnerability": "VCID-n21x-za4a-rbe6" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-nznw-cfmj-6bfp" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-q8kr-z94u-gyeb" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r2fp-phnf-9yej" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-rfya-ry5q-2kha" }, { "vulnerability": "VCID-rg23-jtkn-ubga" }, { "vulnerability": "VCID-rs2j-48mj-ruey" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tg5t-vpgm-akdc" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zrw3-291v-n7f5" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.0-beta.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/491085?format=api", "purl": "pkg:composer/getgrav/grav@1.7.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6jat-2def-zqbc" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-7pjb-q8yn-47cc" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gk7c-d8fy-rbdf" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jjye-gyx1-j3bu" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-k8n9-gaa1-kfd6" }, { "vulnerability": "VCID-k9a3-vmbk-nkbc" }, { "vulnerability": "VCID-kpzg-n1y4-pufs" }, { "vulnerability": "VCID-n21x-za4a-rbe6" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-nznw-cfmj-6bfp" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-q8kr-z94u-gyeb" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r2fp-phnf-9yej" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-rg23-jtkn-ubga" }, { "vulnerability": "VCID-rs2j-48mj-ruey" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.1" } ], "aliases": [ "CVE-2020-29553", "GHSA-fqff-vcvx-68h3" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tg5t-vpgm-akdc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94829?format=api", "vulnerability_id": "VCID-tjcf-ygft-mkge", "summary": "Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through modifying the content of the data[_json][header][form] which is the YAML frontmatter which includes the process section which dictates what happens after a user submits the form which include some important actions that could lead to further vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66301", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.29124", "scoring_system": "epss", "scoring_elements": "0.96695", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.29124", "scoring_system": "epss", "scoring_elements": "0.96706", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66301" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66301", "reference_id": "CVE-2025-66301", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66301" }, { "reference_url": "https://github.com/advisories/GHSA-v8x2-fjv7-8hjh", "reference_id": "GHSA-v8x2-fjv7-8hjh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v8x2-fjv7-8hjh" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-v8x2-fjv7-8hjh", "reference_id": "GHSA-v8x2-fjv7-8hjh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-02T16:26:05Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-v8x2-fjv7-8hjh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35638?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66301", "GHSA-v8x2-fjv7-8hjh" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tjcf-ygft-mkge" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94926?format=api", "vulnerability_id": "VCID-uqg4-1bkq-8kar", "summary": "Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This results in both Privilege Escalation (PE) and Remote Code Execution (RCE) vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66297", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00475", "scoring_system": "epss", "scoring_elements": "0.65357", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00475", "scoring_system": "epss", "scoring_elements": "0.65257", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66297" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66297", "reference_id": "CVE-2025-66297", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66297" }, { "reference_url": "https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458", "reference_id": "e37259527d9c1deb6200f8967197a9fa587c6458", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-02T14:26:40Z/" } ], "url": "https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458" }, { "reference_url": "https://github.com/advisories/GHSA-858q-77wx-hhx6", "reference_id": "GHSA-858q-77wx-hhx6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-858q-77wx-hhx6" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-858q-77wx-hhx6", "reference_id": "GHSA-858q-77wx-hhx6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-02T14:26:40Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-858q-77wx-hhx6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35638?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66297", "GHSA-858q-77wx-hhx6" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uqg4-1bkq-8kar" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95114?format=api", "vulnerability_id": "VCID-vkz5-kyf5-3uaz", "summary": "Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A Denial of Service (DoS) vulnerability has been identified in Grav related to the handling of scheduled_at parameters. Specifically, the application fails to properly sanitize input for cron expressions. By manipulating the scheduled_at parameter with a malicious input, such as a single quote, the application admin panel becomes non-functional, causing significant disruptions to administrative operations. The only way to recover from this issue is to manually access the host server and modify the backup.yaml file to correct the corrupted cron expression. This vulnerability is fixed in 1.8.0-beta.27.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66303", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33791", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33611", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66303" }, { "reference_url": "https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7", "reference_id": "9d11094e4133f059688fad1e00dbe96fb6e3ead7", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-03T15:10:29Z/" } ], "url": "https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66303", "reference_id": "CVE-2025-66303", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66303" }, { "reference_url": "https://github.com/advisories/GHSA-x62q-p736-3997", "reference_id": "GHSA-x62q-p736-3997", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x62q-p736-3997" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-x62q-p736-3997", "reference_id": "GHSA-x62q-p736-3997", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-03T15:10:29Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-x62q-p736-3997" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35638?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66303", "GHSA-x62q-p736-3997" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vkz5-kyf5-3uaz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70515?format=api", "vulnerability_id": "VCID-vm1b-p32c-67hc", "summary": "Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the grav['accounts'] service. Attacker can programmatically load administrative user objects and extract sensitive data, including Bcrypt password hashes and the security salt. This vulnerability is fixed in 2.0.0-beta.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42610", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08198", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09612", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42610" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42610", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42610" }, { "reference_url": "https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47", "reference_id": "c66dfeb5ff679a1667678c6335eb9ff3255dfc47", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T15:49:51Z/" } ], "url": "https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47" }, { "reference_url": "https://github.com/advisories/GHSA-3f29-pqwf-v4j4", "reference_id": "GHSA-3f29-pqwf-v4j4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3f29-pqwf-v4j4" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-3f29-pqwf-v4j4", "reference_id": "GHSA-3f29-pqwf-v4j4", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T15:49:51Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-3f29-pqwf-v4j4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373988?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.2" } ], "aliases": [ "CVE-2026-42610", "GHSA-3f29-pqwf-v4j4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vm1b-p32c-67hc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/361123?format=api", "vulnerability_id": "VCID-vudj-pa47-4kfd", "summary": "Cross-Site Scripting in Grav\n### Impact\nPrivileged users (with the ability to edit pages) have a mechanism to perform remote code execution via XSS. At a minimum, the vulnerability represents a bypass of security controls put in place to mitigate this form of attack.\n\nThe remote code execution can be performed because XSS would allow an attacker to execute functionality on behalf of a stolen administrative account - the facility to install custom plugins would then allow said attacker to install a plugin containing a web shell and thus garner access to the underlying system.\n\n### References\nhttps://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)\nhttps://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html\nhttps://cwe.mitre.org/data/definitions/79.html\n\n### For more information\nPlease contact contact@pentest.co.uk", "references": [ { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-cvmr-6428-87w9", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-cvmr-6428-87w9" }, { "reference_url": "https://github.com/advisories/GHSA-cvmr-6428-87w9", "reference_id": "GHSA-cvmr-6428-87w9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cvmr-6428-87w9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/23160?format=api", "purl": "pkg:composer/getgrav/grav@1.6.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6jat-2def-zqbc" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-7pjb-q8yn-47cc" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gk7c-d8fy-rbdf" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jjye-gyx1-j3bu" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-k8n9-gaa1-kfd6" }, { "vulnerability": "VCID-k9a3-vmbk-nkbc" }, { "vulnerability": "VCID-kpzg-n1y4-pufs" }, { "vulnerability": "VCID-n21x-za4a-rbe6" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-nznw-cfmj-6bfp" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-q8kr-z94u-gyeb" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r2fp-phnf-9yej" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-rfya-ry5q-2kha" }, { "vulnerability": "VCID-rg23-jtkn-ubga" }, { "vulnerability": "VCID-rs2j-48mj-ruey" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tg5t-vpgm-akdc" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zrw3-291v-n7f5" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.6.30" } ], "aliases": [ "GHSA-cvmr-6428-87w9", "GMS-2020-581" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vudj-pa47-4kfd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39631?format=api", "vulnerability_id": "VCID-w36s-7xta-bfb5", "summary": "Grav is an open-source, flat-file content management system. Prior to version 1.7.45, Grav validates accessible functions through the Utils::isDangerousFunction function, but does not impose restrictions on twig functions like twig_array_map, allowing attackers to bypass the validation and execute arbitrary commands. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Upgrading to patched version 1.7.45 can mitigate this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28117", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00482", "scoring_system": "epss", "scoring_elements": "0.65622", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00482", "scoring_system": "epss", "scoring_elements": "0.6572", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28117" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28117", "reference_id": "CVE-2024-28117", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28117" }, { "reference_url": "https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe", "reference_id": "de1ccfa12dbcbf526104d68c1a6bc202a98698fe", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-28T19:11:01Z/" } ], "url": "https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe" }, { "reference_url": "https://github.com/advisories/GHSA-qfv4-q44r-g7rv", "reference_id": "GHSA-qfv4-q44r-g7rv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qfv4-q44r-g7rv" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-qfv4-q44r-g7rv", "reference_id": "GHSA-qfv4-q44r-g7rv", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-28T19:11:01Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-qfv4-q44r-g7rv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29986?format=api", "purl": "pkg:composer/getgrav/grav@1.7.45", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.45" } ], "aliases": [ "CVE-2024-28117", "GHSA-qfv4-q44r-g7rv" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w36s-7xta-bfb5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70588?format=api", "vulnerability_id": "VCID-w6an-2dwk-2kcy", "summary": "Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges. This results in full administrative compromise of the Grav API. This vulnerability is fixed in API 1.0.0-beta.17.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42844", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14783", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14663", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42844" }, { "reference_url": "https://github.com/getgrav/grav-plugin-api/commit/97fc02844a35f743dfe93d34efd92d47eedd5bc5", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getgrav/grav-plugin-api/commit/97fc02844a35f743dfe93d34efd92d47eedd5bc5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42844", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42844" }, { "reference_url": "https://github.com/advisories/GHSA-6xx2-m8wv-756h", "reference_id": "GHSA-6xx2-m8wv-756h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6xx2-m8wv-756h" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-6xx2-m8wv-756h", "reference_id": "GHSA-6xx2-m8wv-756h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-13T14:28:07Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-6xx2-m8wv-756h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376134?format=api", "purl": "pkg:composer/getgrav/grav@2.0.0-beta.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bt8c-zfzy-4fbr" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@2.0.0-beta.4" } ], "aliases": [ "CVE-2026-42844", "GHSA-6xx2-m8wv-756h" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w6an-2dwk-2kcy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55584?format=api", "vulnerability_id": "VCID-wuks-ngce-2kgm", "summary": "Grav is an open-source, flat-file content management system. A file upload path traversal vulnerability has been identified in the application prior to version 1.7.45, enabling attackers to replace or create files with extensions like .json, .zip, .css, .gif, etc. This critical security flaw poses severe risks, that can allow attackers to inject arbitrary code on the server, undermine integrity of backup files by overwriting existing files or creating new ones, and exfiltrate sensitive data using CSS exfiltration techniques. Upgrading to patched version 1.7.45 can mitigate the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27921", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.08787", "scoring_system": "epss", "scoring_elements": "0.9273", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.08787", "scoring_system": "epss", "scoring_elements": "0.92705", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27921" }, { "reference_url": "https://github.com/getgrav/grav/commit/5928411b86bab05afca2b33db4e7386a44858e99", "reference_id": "5928411b86bab05afca2b33db4e7386a44858e99", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-25T16:27:48Z/" } ], "url": "https://github.com/getgrav/grav/commit/5928411b86bab05afca2b33db4e7386a44858e99" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27921", "reference_id": "CVE-2024-27921", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27921" }, { "reference_url": "https://github.com/advisories/GHSA-m7hx-hw6h-mqmc", "reference_id": "GHSA-m7hx-hw6h-mqmc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m7hx-hw6h-mqmc" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-m7hx-hw6h-mqmc", "reference_id": "GHSA-m7hx-hw6h-mqmc", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-25T16:27:48Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-m7hx-hw6h-mqmc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29986?format=api", "purl": "pkg:composer/getgrav/grav@1.7.45", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.45" } ], "aliases": [ "CVE-2024-27921", "GHSA-m7hx-hw6h-mqmc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wuks-ngce-2kgm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/138315?format=api", "vulnerability_id": "VCID-xzbd-pwhp-z7bj", "summary": "Grav is a file-based Web-platform built in PHP. Grav is subject to a server side template injection (SSTI) vulnerability. The fix for another SSTI vulnerability using `|map`, `|filter` and `|reduce` twigs implemented in the commit `71bbed1` introduces bypass of the denylist due to incorrect return value from `isDangerousFunction()`, which allows to execute the payload prepending double backslash (`\\\\`). The `isDangerousFunction()` check in version 1.7.42 and onwards retuns `false` value instead of `true` when the `\\` symbol is found in the `$name`. This vulnerability can be exploited if the attacker has access to: 1. an Administrator account, or 2. a non-administrator, user account that has Admin panel access and Create/Update page permissions. A fix for this vulnerability has been introduced in commit `b4c6210` and is included in release version `1.7.42.2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-37897", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00118", "scoring_system": "epss", "scoring_elements": "0.3024", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00118", "scoring_system": "epss", "scoring_elements": "0.30436", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-37897" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37897", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37897" }, { "reference_url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b", "reference_id": "71bbed12f950de8335006d7f91112263d8504f1b", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-18T16:06:14Z/" } ], "url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b" }, { "reference_url": "https://github.com/getgrav/grav/commit/b4c62101a43051fc7f5349c7d0a5b6085375c1d7", "reference_id": "b4c62101a43051fc7f5349c7d0a5b6085375c1d7", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-18T16:06:14Z/" } ], "url": "https://github.com/getgrav/grav/commit/b4c62101a43051fc7f5349c7d0a5b6085375c1d7" }, { "reference_url": "https://github.com/advisories/GHSA-9436-3gmp-4f53", "reference_id": "GHSA-9436-3gmp-4f53", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9436-3gmp-4f53" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-9436-3gmp-4f53", "reference_id": "GHSA-9436-3gmp-4f53", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-18T16:06:14Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-9436-3gmp-4f53" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/381495?format=api", "purl": "pkg:composer/getgrav/grav@1.7.42%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.42%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/639733?format=api", "purl": "pkg:composer/getgrav/grav@1.7.42.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.42.2" } ], "aliases": [ "CVE-2023-37897", "GHSA-9436-3gmp-4f53" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xzbd-pwhp-z7bj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49763?format=api", "vulnerability_id": "VCID-ywms-fkbp-53a4", "summary": "Grav is a file-based Web platform. Prior to version 1.7.46, a low privilege user account with page edit privilege can read any server files using Twig Syntax. This includes Grav user account files - `/grav/user/accounts/*.yaml`. This file stores hashed user password, 2FA secret, and the password reset token. This can allow an adversary to compromise any registered account and read any file in the web server by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password. A low privileged user may also perform a full account takeover of other registered users including Administrators. Version 1.7.46 contains a patch.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34082", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00276", "scoring_system": "epss", "scoring_elements": "0.51499", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00276", "scoring_system": "epss", "scoring_elements": "0.51368", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34082" }, { "reference_url": "https://github.com/getgrav/grav/commit/b6bba9eb99bf8cb55b8fa8d23f18873ca594e348", "reference_id": "b6bba9eb99bf8cb55b8fa8d23f18873ca594e348", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-15T19:34:23Z/" } ], "url": "https://github.com/getgrav/grav/commit/b6bba9eb99bf8cb55b8fa8d23f18873ca594e348" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34082", "reference_id": "CVE-2024-34082", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34082" }, { "reference_url": "https://github.com/advisories/GHSA-f8v5-jmfh-pr69", "reference_id": "GHSA-f8v5-jmfh-pr69", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f8v5-jmfh-pr69" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-f8v5-jmfh-pr69", "reference_id": "GHSA-f8v5-jmfh-pr69", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-15T19:34:23Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-f8v5-jmfh-pr69" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31190?format=api", "purl": "pkg:composer/getgrav/grav@1.7.46", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.46" } ], "aliases": [ "CVE-2024-34082", "GHSA-f8v5-jmfh-pr69" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ywms-fkbp-53a4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94626?format=api", "vulnerability_id": "VCID-z7vh-m45n-93fy", "summary": "Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A low privilege user account with page editing privilege can read any server files using \"Frontmatter\" form. This includes Grav user account files (/grav/user/accounts/*.yaml), which store hashed user password, 2FA secret, and the password reset token. This can allow an adversary to compromise any registered account by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password. This vulnerability is fixed in 1.8.0-beta.27.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66300", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.22547", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.22354", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66300" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66300", "reference_id": "CVE-2025-66300", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66300" }, { "reference_url": "https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee", "reference_id": "ed640a13143c4177af013cf001969ed2c5e197ee", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:08:33Z/" } ], "url": "https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee" }, { "reference_url": "https://github.com/advisories/GHSA-p4ww-mcp9-j6f2", "reference_id": "GHSA-p4ww-mcp9-j6f2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p4ww-mcp9-j6f2" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-p4ww-mcp9-j6f2", "reference_id": "GHSA-p4ww-mcp9-j6f2", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:08:33Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-p4ww-mcp9-j6f2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35638?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66300", "GHSA-p4ww-mcp9-j6f2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z7vh-m45n-93fy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94956?format=api", "vulnerability_id": "VCID-zrsu-dppu-xuez", "summary": "This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/accounts/groups/Grupo endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[readableName] parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 1.11.0-beta.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66312", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07316", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07274", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66312" }, { "reference_url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0", "reference_id": "99f653296504f1d6408510dd2f6f20a45a26f9b0", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:36:06Z/" } ], "url": "https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66312", "reference_id": "CVE-2025-66312", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66312" }, { "reference_url": "https://github.com/advisories/GHSA-rmw5-f87r-w988", "reference_id": "GHSA-rmw5-f87r-w988", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rmw5-f87r-w988" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-rmw5-f87r-w988", "reference_id": "GHSA-rmw5-f87r-w988", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:36:06Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-rmw5-f87r-w988" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35638?format=api", "purl": "pkg:composer/getgrav/grav@1.8.0-beta.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27" } ], "aliases": [ "CVE-2025-66312", "GHSA-rmw5-f87r-w988" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zrsu-dppu-xuez" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/210353?format=api", "vulnerability_id": "VCID-zrw3-291v-n7f5", "summary": "Grav CMS Arbitrary File Deletion", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-29555", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.04155", "scoring_system": "epss", "scoring_elements": "0.88922", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.04155", "scoring_system": "epss", "scoring_elements": "0.88959", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-29555" }, { "reference_url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav", "reference_id": "CVE-2020-29553-CVE-2020-29555-CVE-2020-29556-MULTIPLE-VULNERABILITIES-WITHIN-CMS-GRAV", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29555", "reference_id": "CVE-2020-29555", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29555" }, { "reference_url": "https://github.com/advisories/GHSA-gpmf-q5jh-hjx4", "reference_id": "GHSA-gpmf-q5jh-hjx4", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gpmf-q5jh-hjx4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/23160?format=api", "purl": "pkg:composer/getgrav/grav@1.6.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6jat-2def-zqbc" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-7pjb-q8yn-47cc" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gk7c-d8fy-rbdf" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jjye-gyx1-j3bu" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-k8n9-gaa1-kfd6" }, { "vulnerability": "VCID-k9a3-vmbk-nkbc" }, { "vulnerability": "VCID-kpzg-n1y4-pufs" }, { "vulnerability": "VCID-n21x-za4a-rbe6" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-nznw-cfmj-6bfp" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-q8kr-z94u-gyeb" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r2fp-phnf-9yej" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-rfya-ry5q-2kha" }, { "vulnerability": "VCID-rg23-jtkn-ubga" }, { "vulnerability": "VCID-rs2j-48mj-ruey" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tg5t-vpgm-akdc" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zrw3-291v-n7f5" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.6.30" }, { "url": "http://public2.vulnerablecode.io/api/packages/491084?format=api", "purl": "pkg:composer/getgrav/grav@1.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1uae-bt5u-2yct" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2559-2grj-ykbp" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4ee3-v7em-w3d9" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6jat-2def-zqbc" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-7pjb-q8yn-47cc" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9aqu-d699-27bh" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gk7c-d8fy-rbdf" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jjye-gyx1-j3bu" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-k8n9-gaa1-kfd6" }, { "vulnerability": "VCID-k9a3-vmbk-nkbc" }, { "vulnerability": "VCID-kpzg-n1y4-pufs" }, { "vulnerability": "VCID-n21x-za4a-rbe6" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-nznw-cfmj-6bfp" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-q8kr-z94u-gyeb" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r2fp-phnf-9yej" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-rg23-jtkn-ubga" }, { "vulnerability": "VCID-rs2j-48mj-ruey" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tg5t-vpgm-akdc" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w36s-7xta-bfb5" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-wuks-ngce-2kgm" }, { "vulnerability": "VCID-xzbd-pwhp-z7bj" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" }, { "vulnerability": "VCID-zsc2-ugrh-9ke5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.0" } ], "aliases": [ "CVE-2020-29555", "GHSA-gpmf-q5jh-hjx4" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zrw3-291v-n7f5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39638?format=api", "vulnerability_id": "VCID-zsc2-ugrh-9ke5", "summary": "Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox. Version 1.7.45 contains a patch for this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28116", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.62168", "scoring_system": "epss", "scoring_elements": "0.98388", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.62168", "scoring_system": "epss", "scoring_elements": "0.98382", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28116" }, { "reference_url": "https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e", "reference_id": "4149c81339274130742831422de2685f298f3a6e", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-01T20:55:43Z/" } ], "url": "https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28116", "reference_id": "CVE-2024-28116", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28116" }, { "reference_url": "https://github.com/advisories/GHSA-c9gp-64c4-2rrh", "reference_id": "GHSA-c9gp-64c4-2rrh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c9gp-64c4-2rrh" }, { "reference_url": "https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh", "reference_id": "GHSA-c9gp-64c4-2rrh", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-01T20:55:43Z/" } ], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29986?format=api", "purl": "pkg:composer/getgrav/grav@1.7.45", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1t44-x9xa-dqhy" }, { "vulnerability": "VCID-1vrd-293u-73br" }, { "vulnerability": "VCID-2qcb-uegp-t3h1" }, { "vulnerability": "VCID-3y6z-hczk-kbcj" }, { "vulnerability": "VCID-45ba-51hu-aybn" }, { "vulnerability": "VCID-4fyk-8s1y-zye1" }, { "vulnerability": "VCID-611u-223y-9fgn" }, { "vulnerability": "VCID-6nkq-h2ya-h7c4" }, { "vulnerability": "VCID-7376-h19s-q3bf" }, { "vulnerability": "VCID-8y17-ya5s-xudd" }, { "vulnerability": "VCID-9y53-5agq-9yaf" }, { "vulnerability": "VCID-b5ay-jsby-23he" }, { "vulnerability": "VCID-bn3y-7zgs-73ap" }, { "vulnerability": "VCID-bt8c-zfzy-4fbr" }, { "vulnerability": "VCID-c8s1-r8sp-nufc" }, { "vulnerability": "VCID-cafd-vta9-efdp" }, { "vulnerability": "VCID-dpwj-ft2b-qycu" }, { "vulnerability": "VCID-dqhd-acxj-huc6" }, { "vulnerability": "VCID-fbex-4yyq-jud6" }, { "vulnerability": "VCID-ftuq-vs33-byau" }, { "vulnerability": "VCID-fuk4-2ad3-gqe8" }, { "vulnerability": "VCID-gted-pwjh-xfbf" }, { "vulnerability": "VCID-hcnz-nxwp-ykfv" }, { "vulnerability": "VCID-jv8r-d9h7-vubf" }, { "vulnerability": "VCID-n873-y6ex-pqh2" }, { "vulnerability": "VCID-nbat-7pjr-d3e1" }, { "vulnerability": "VCID-p82r-r27b-kqfs" }, { "vulnerability": "VCID-pdbb-zdxf-tyck" }, { "vulnerability": "VCID-qk5j-hmd2-e7ap" }, { "vulnerability": "VCID-r3sd-5k16-r3c4" }, { "vulnerability": "VCID-sjgs-kpjt-akb7" }, { "vulnerability": "VCID-tjcf-ygft-mkge" }, { "vulnerability": "VCID-uqg4-1bkq-8kar" }, { "vulnerability": "VCID-vkz5-kyf5-3uaz" }, { "vulnerability": "VCID-vm1b-p32c-67hc" }, { "vulnerability": "VCID-w6an-2dwk-2kcy" }, { "vulnerability": "VCID-ywms-fkbp-53a4" }, { "vulnerability": "VCID-z7vh-m45n-93fy" }, { "vulnerability": "VCID-zrsu-dppu-xuez" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.45" } ], "aliases": [ "CVE-2024-28116", "GHSA-c9gp-64c4-2rrh" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zsc2-ugrh-9ke5" } ], "fixing_vulnerabilities": [], "risk_score": "10.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.2.4" }