| CVE-2026-42611 |
high |
8.9 |
8.9 |
22d ago |
Grav is Vulnerable to Stored XSS via Tag Injection |
|
| CVE-2026-42844 |
high |
8.8 |
8.8 |
21d ago |
Low-privileged Grav API users can create super-admin accounts via blueprint-upload |
|
| CVE-2026-42609 |
high |
8.1 |
8.1 |
22d ago |
Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic |
|
| CVE-2026-44738 |
high |
7.7 |
7.7 |
15d ago |
Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray() |
|
| CVE-2026-42610 |
medium |
6.5 |
6.5 |
22d ago |
Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass |
|
| CVE-2026-44737 |
medium |
— |
5.5 |
19d ago |
Grav: Stored XSS via page title (data[header][title]) in admin panel |
|
| CVE-2026-42612 |
medium |
5.4 |
5.4 |
22d ago |
Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes |
|
| CVE-2026-42842 |
medium |
5.4 |
5.4 |
22d ago |
Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel |
|
| CVE-2026-7317 |
medium |
5.0 |
5.0 |
22d ago |
Grav has Insecure Deserialization in File Cache |
|
| CVE-2026-42841 |
medium |
4.8 |
4.8 |
22d ago |
Grav CMS vulnerable to stored XSS via Markdown media attribute() action |
|