Package impact

Packagist / getgrav/grav

critical high medium low unknown

0

KEV Has exploit

CVE	Severity	CVSS	Risk	Flags	OS	Vendor	Published	Description
CVE-2026-42607	critical	9.1	10.0				29d ago	Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature
CVE-2026-42613	critical	9.4	9.4				29d ago	Grav Vulnerable to Privilege Escalation via Missing Server-Side Validation of groups/access
CVE-2026-42608	critical	9.1	9.1				29d ago	Grav has Unauthenticated Path Traversal & Arbitrary File Write in its FormFlash component
CVE-2026-42611	high	8.9	8.9				29d ago	Grav is Vulnerable to Stored XSS via Tag Injection
CVE-2026-42844	high	8.8	8.8				28d ago	Low-privileged Grav API users can create super-admin accounts via blueprint-upload
CVE-2026-42609	high	8.1	8.1				29d ago	Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic
CVE-2026-44738	high	7.7	7.7				21d ago	Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()
CVE-2026-42610	medium	6.5	6.5				29d ago	Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass
CVE-2026-44737	medium	—	5.5				26d ago	Grav: Stored XSS via page title (data[header][title]) in admin panel
CVE-2026-42612	medium	5.4	5.4				29d ago	Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes
CVE-2026-42842	medium	5.4	5.4				29d ago	Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel
CVE-2026-7317	medium	5.0	5.0				29d ago	Grav has Insecure Deserialization in File Cache
CVE-2026-42841	medium	4.8	4.8				29d ago	Grav CMS vulnerable to stored XSS via Markdown media attribute() action
CVE-2025-66294	unknown	—	1.0				6mo ago	Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass
CVE-2025-66301	unknown	—	1.0				6mo ago	Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions
CVE-2021-29440	unknown	—	1.0				5y ago	Grav's Twig processing allowing dangerous PHP functions by default
CVE-2025-66843	unknown	—	—				6mo ago	Grav is vulnerable to Stored XSS through authenticated user-edited content
CVE-2025-66844	unknown	—	—				6mo ago	Grav may be vulnerable to SSRF attack via Twig Templates
CVE-2025-65186	unknown	—	—				6mo ago	Grav CMS is vulnerable to Cross Site Scripting (XSS) in the page editor
CVE-2025-66298	unknown	—	—				6mo ago	Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms
CVE-2025-66310	unknown	—	—				6mo ago	Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced Tab
CVE-2025-66309	unknown	—	—				6mo ago	Grav is vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab
CVE-2025-66297	unknown	—	—				6mo ago	Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection
CVE-2025-66308	unknown	—	—				6mo ago	Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`
CVE-2025-66295	unknown	—	—				6mo ago	Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption
CVE-2025-66305	unknown	—	—				6mo ago	Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter
CVE-2025-66306	unknown	—	—				6mo ago	Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel
CVE-2025-66302	unknown	—	—				6mo ago	Grav vulnerable to Path Traversal allowing server files backup
CVE-2025-66307	unknown	—	—				6mo ago	Grav Admin Plugin vulnerable to User Enumeration & Email Disclosure
CVE-2025-66312	unknown	—	—				6mo ago	Grav Admin Plugin is vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]`
CVE-2025-66311	unknown	—	—				6mo ago	Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters
CVE-2025-66304	unknown	—	—				6mo ago	Grav Exposes Password Hashes Leading to privilege escalation
CVE-2025-66303	unknown	—	—				6mo ago	Grav is vulnerable to a DOS on the admin panel
CVE-2025-66300	unknown	—	—				6mo ago	Grav is vulnerable to Arbitrary File Read
CVE-2025-66299	unknown	—	—				6mo ago	Grav is Vulnerable to Security Sandbox Bypass with SSTI (Server Side Template Injection)
CVE-2025-66296	unknown	—	—				6mo ago	Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover
CVE-2024-35498	unknown	—	—				1y ago	Grav Cross-site Scripting vulnerability
CVE-2024-34082	unknown	—	—				2y ago	Grav Vulnerable to Arbitrary File Read to Account Takeover
CVE-2024-28119	unknown	—	—				2y ago	Server Side Template Injection (SSTI) via Twig escape handler
CVE-2024-28118	unknown	—	—				2y ago	Server Side Template Injection (SSTI)
CVE-2024-28117	unknown	—	—				2y ago	Server Side Template Injection (SSTI)
CVE-2024-28116	unknown	—	—				2y ago	Server-Side Template Injection (SSTI) with Grav CMS security sandbox bypass
CVE-2024-27921	unknown	—	—				2y ago	Grav File Upload Path Traversal
CVE-2024-27923	unknown	—	—				2y ago	Remote Code Execution by uploading a phar file using frontmatter
CVE-2023-31506	unknown	—	—				2y ago	Cross-site scripting (XSS) vulnerability in Grav
CVE-2023-37897	unknown	—	—				3y ago	grav Server-side Template Injection (SSTI) mitigation bypass
CVE-2023-34448	unknown	—	—				3y ago	Grav Server-side Template Injection (SSTI) via Twig Default Filters
CVE-2023-34253	unknown	—	—				3y ago	Grav Server-side Template Injection (SSTI) via Denylist Bypass Vulnerability
CVE-2023-34252	unknown	—	—				3y ago	Grav Server-side Template Injection (SSTI) via Twig Default Filters
CVE-2023-34251	unknown	—	—				3y ago	Grav Server Side Template Injection (SSTI) vulnerability
CVE-2022-2073	unknown	—	—				4y ago	Code injection in grav
CVE-2020-29555	unknown	—	—				4y ago	Grav CMS Arbitrary File Deletion
CVE-2020-29553	unknown	—	—				4y ago	Grav CMS Cross-Site Request Forgery (CSRF)
CVE-2020-29556	unknown	—	—				4y ago	Grav CMS Local File Injection
CVE-2018-5233	unknown	—	—				4y ago	Grav CMS Cross-site scripting (XSS) vulnerability
CVE-2022-1173	unknown	—	—				4y ago	Stored cross site scripting in getgrav/grav
CVE-2022-0970	unknown	—	—				4y ago	Stored Cross-site Scripting in grav
CVE-2022-0743	unknown	—	—				4y ago	Cross site scripting in getgrav/grav
CVE-2022-0268	unknown	—	—				4y ago	Cross-site Scripting in grav
CVE-2020-11529	unknown	—	—				5y ago	Open Redirect in Grav
CVE-2021-3924	unknown	—	—				5y ago	Path traversal in grav
CVE-2021-3904	unknown	—	—				5y ago	Cross-Site Scripting in grav
CVE-2021-3818	unknown	—	—				5y ago	Reliance on Cookies without Validation and Integrity Checking in getgrav/grav
CVE-2019-16126	unknown	—	—				7y ago	Cross-site Scripting in Grav