VIR Vulnerability Intelligence Relay

Package impact

php Packagist / getgrav/grav

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Published Description Impact
CVE-2026-42607 critical 9.1 10.0 22d ago Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature php
CVE-2026-42613 critical 9.4 9.4 22d ago Grav Vulnerable to Privilege Escalation via Missing Server-Side Validation of groups/access php
CVE-2026-42608 critical 9.1 9.1 22d ago Grav has Unauthenticated Path Traversal & Arbitrary File Write in its FormFlash component php
CVE-2026-42611 high 8.9 8.9 22d ago Grav is Vulnerable to Stored XSS via Tag Injection php
CVE-2026-42844 high 8.8 8.8 21d ago Low-privileged Grav API users can create super-admin accounts via blueprint-upload php
CVE-2026-42609 high 8.1 8.1 22d ago Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic php
CVE-2026-44738 high 7.7 7.7 15d ago Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray() php
CVE-2026-42610 medium 6.5 6.5 22d ago Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass php
CVE-2026-44737 medium 5.5 19d ago Grav: Stored XSS via page title (data[header][title]) in admin panel php
CVE-2026-42612 medium 5.4 5.4 22d ago Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes php
CVE-2026-42842 medium 5.4 5.4 22d ago Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel php
CVE-2026-7317 medium 5.0 5.0 22d ago Grav has Insecure Deserialization in File Cache php
CVE-2026-42841 medium 4.8 4.8 22d ago Grav CMS vulnerable to stored XSS via Markdown media attribute() action php
CVE-2025-66844 unknown 5mo ago Grav may be vulnerable to SSRF attack via Twig Templates php
CVE-2025-66843 unknown 5mo ago Grav is vulnerable to Stored XSS through authenticated user-edited content php
CVE-2025-65186 unknown 6mo ago Grav CMS is vulnerable to Cross Site Scripting (XSS) in the page editor php
CVE-2025-66298 unknown 6mo ago Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms php
CVE-2025-66294 unknown 6mo ago Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass php
CVE-2025-66310 unknown 6mo ago Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced Tab php
CVE-2025-66309 unknown 6mo ago Grav is vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab php
CVE-2025-66297 unknown 6mo ago Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection php
CVE-2025-66308 unknown 6mo ago Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]` php
CVE-2025-66295 unknown 6mo ago Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption php
CVE-2025-66305 unknown 6mo ago Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter php
CVE-2025-66306 unknown 6mo ago Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel php
CVE-2025-66302 unknown 6mo ago Grav vulnerable to Path Traversal allowing server files backup php
CVE-2025-66307 unknown 6mo ago Grav Admin Plugin vulnerable to User Enumeration & Email Disclosure php
CVE-2025-66312 unknown 6mo ago Grav Admin Plugin is vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]` php
CVE-2025-66311 unknown 6mo ago Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters php
CVE-2025-66304 unknown 6mo ago Grav Exposes Password Hashes Leading to privilege escalation php
CVE-2025-66303 unknown 6mo ago Grav is vulnerable to a DOS on the admin panel php
CVE-2025-66301 unknown 6mo ago Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions php
CVE-2025-66300 unknown 6mo ago Grav is vulnerable to Arbitrary File Read php
CVE-2025-66299 unknown 6mo ago Grav is Vulnerable to Security Sandbox Bypass with SSTI (Server Side Template Injection) php
CVE-2025-66296 unknown 6mo ago Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover php
CVE-2024-35498 unknown 1y ago Grav Cross-site Scripting vulnerability php
CVE-2024-34082 unknown 2y ago Grav Vulnerable to Arbitrary File Read to Account Takeover php
CVE-2024-28119 unknown 2y ago Server Side Template Injection (SSTI) via Twig escape handler php
CVE-2024-28118 unknown 2y ago Server Side Template Injection (SSTI) php
CVE-2024-28117 unknown 2y ago Server Side Template Injection (SSTI) php
CVE-2024-28116 unknown 2y ago Server-Side Template Injection (SSTI) with Grav CMS security sandbox bypass php
CVE-2024-27921 unknown 2y ago Grav File Upload Path Traversal php
CVE-2024-27923 unknown 2y ago Remote Code Execution by uploading a phar file using frontmatter php
CVE-2023-31506 unknown 2y ago Cross-site scripting (XSS) vulnerability in Grav php
CVE-2023-37897 unknown 3y ago grav Server-side Template Injection (SSTI) mitigation bypass php
CVE-2023-34448 unknown 3y ago Grav Server-side Template Injection (SSTI) via Twig Default Filters php
CVE-2023-34253 unknown 3y ago Grav Server-side Template Injection (SSTI) via Denylist Bypass Vulnerability php
CVE-2023-34252 unknown 3y ago Grav Server-side Template Injection (SSTI) via Twig Default Filters php
CVE-2023-34251 unknown 3y ago Grav Server Side Template Injection (SSTI) vulnerability php
CVE-2022-2073 unknown 4y ago Code injection in grav php
CVE-2020-29555 unknown 4y ago Grav CMS Arbitrary File Deletion php
CVE-2020-29553 unknown 4y ago Grav CMS Cross-Site Request Forgery (CSRF) php
CVE-2020-29556 unknown 4y ago Grav CMS Local File Injection php
CVE-2018-5233 unknown 4y ago Grav CMS Cross-site scripting (XSS) vulnerability php
CVE-2022-1173 unknown 4y ago Stored cross site scripting in getgrav/grav php
CVE-2022-0970 unknown 4y ago Stored Cross-site Scripting in grav php
CVE-2022-0743 unknown 4y ago Cross site scripting in getgrav/grav php
CVE-2022-0268 unknown 4y ago Cross-site Scripting in grav php
CVE-2020-11529 unknown 4y ago Open Redirect in Grav php
CVE-2021-3924 unknown 5y ago Path traversal in grav php
CVE-2021-3904 unknown 5y ago Cross-Site Scripting in grav php
CVE-2021-3818 unknown 5y ago Reliance on Cookies without Validation and Integrity Checking in getgrav/grav php
CVE-2021-29440 unknown 5y ago Grav's Twig processing allowing dangerous PHP functions by default php
CVE-2019-16126 unknown 7y ago Cross-site Scripting in Grav php