| CVE-2026-42607 |
critical |
9.1 |
10.0 |
|
|
|
1mo ago |
Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature |
| CVE-2026-42613 |
critical |
9.4 |
9.4 |
|
|
|
1mo ago |
Grav Vulnerable to Privilege Escalation via Missing Server-Side Validation of groups/access |
| CVE-2026-42608 |
critical |
9.1 |
9.1 |
|
|
|
1mo ago |
Grav has Unauthenticated Path Traversal & Arbitrary File Write in its FormFlash component |
| CVE-2026-42611 |
high |
8.9 |
8.9 |
|
|
|
1mo ago |
Grav is Vulnerable to Stored XSS via Tag Injection |
| CVE-2026-42844 |
high |
8.8 |
8.8 |
|
|
|
1mo ago |
Low-privileged Grav API users can create super-admin accounts via blueprint-upload |
| CVE-2026-42609 |
high |
8.1 |
8.1 |
|
|
|
1mo ago |
Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic |
| CVE-2026-44738 |
high |
7.7 |
7.7 |
|
|
|
23d ago |
Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray() |
