| CVE-2026-42607 |
critical |
9.1 |
10.0 |
23d ago |
Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature |
|
| CVE-2026-42613 |
critical |
9.4 |
9.4 |
23d ago |
Grav Vulnerable to Privilege Escalation via Missing Server-Side Validation of groups/access |
|
| CVE-2026-42608 |
critical |
9.1 |
9.1 |
23d ago |
Grav has Unauthenticated Path Traversal & Arbitrary File Write in its FormFlash component |
|
| CVE-2026-42610 |
medium |
6.5 |
6.5 |
23d ago |
Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass |
|
| CVE-2026-44737 |
medium |
— |
5.5 |
20d ago |
Grav: Stored XSS via page title (data[header][title]) in admin panel |
|
| CVE-2026-42612 |
medium |
5.4 |
5.4 |
23d ago |
Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes |
|
| CVE-2026-42842 |
medium |
5.4 |
5.4 |
23d ago |
Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel |
|
| CVE-2026-7317 |
medium |
5.0 |
5.0 |
23d ago |
Grav has Insecure Deserialization in File Cache |
|
| CVE-2026-42841 |
medium |
4.8 |
4.8 |
23d ago |
Grav CMS vulnerable to stored XSS via Markdown media attribute() action |
|