VIR Vulnerability Intelligence Relay

Package impact

php COMPOSER / getgrav/grav

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Flags OS Vendor Published Description
CVE-2026-42607 critical 9.1 10.0 29d ago Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature
CVE-2026-42613 critical 9.4 9.4 29d ago Grav Vulnerable to Privilege Escalation via Missing Server-Side Validation of groups/access
CVE-2026-42608 critical 9.1 9.1 29d ago Grav has Unauthenticated Path Traversal & Arbitrary File Write in its FormFlash component
CVE-2026-42611 high 8.9 8.9 29d ago Grav is Vulnerable to Stored XSS via Tag Injection
CVE-2026-42844 high 8.8 8.8 28d ago Low-privileged Grav API users can create super-admin accounts via blueprint-upload
CVE-2026-42609 high 8.1 8.1 29d ago Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic
CVE-2026-44738 high 7.7 7.7 22d ago Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()