| CVE-2026-42607 |
critical |
9.1 |
10.0 |
23d ago |
Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature |
|
| CVE-2026-42613 |
critical |
9.4 |
9.4 |
22d ago |
Grav Vulnerable to Privilege Escalation via Missing Server-Side Validation of groups/access |
|
| CVE-2026-42608 |
critical |
9.1 |
9.1 |
22d ago |
Grav has Unauthenticated Path Traversal & Arbitrary File Write in its FormFlash component |
|
| CVE-2026-42611 |
high |
8.9 |
8.9 |
22d ago |
Grav is Vulnerable to Stored XSS via Tag Injection |
|
| CVE-2026-42844 |
high |
8.8 |
8.8 |
22d ago |
Low-privileged Grav API users can create super-admin accounts via blueprint-upload |
|
| CVE-2026-42609 |
high |
8.1 |
8.1 |
22d ago |
Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic |
|
| CVE-2026-44738 |
high |
7.7 |
7.7 |
15d ago |
Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray() |
|