Getgrav

Grav

53 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
8.8

CVE-2025-66297

Exploit
  • EPSS 0.52%
  • Veröffentlicht 01.12.2025 21:05:44
  • Zuletzt bearbeitet 03.12.2025 15:58:41

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can es...

8.8

CVE-2025-66296

  • EPSS 0.07%
  • Veröffentlicht 01.12.2025 21:03:07
  • Zuletzt bearbeitet 04.12.2025 18:33:10

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a privilege escalation vulnerability exists in Grav’s Admin plugin due to the absence of username uniqueness validation when creating users. A user with the create user permission can create ...

8.8

CVE-2025-66294

Exploit
  • EPSS 41.36%
  • Veröffentlicht 01.12.2025 20:52:08
  • Zuletzt bearbeitet 04.12.2025 18:36:15

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain...

8.8

CVE-2025-66295

  • EPSS 0.09%
  • Veröffentlicht 01.12.2025 20:46:56
  • Zuletzt bearbeitet 04.12.2025 18:34:22

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\Nijat or ../Nijat), Grav writes...

6.1

CVE-2025-63593

Exploit
  • EPSS 0.03%
  • Veröffentlicht 03.11.2025 00:00:00
  • Zuletzt bearbeitet 07.11.2025 18:33:34

Grav CMS1.7.49.5 is vulnerable to Cross Site Scripting (XSS).

8.1

CVE-2025-50286

Exploit
  • EPSS 58.4%
  • Veröffentlicht 06.08.2025 00:00:00
  • Zuletzt bearbeitet 07.11.2025 19:18:37

A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install interface. Once uploaded, the plugin is automatically extracted and loaded, allowing arbitr...

9.8

CVE-2025-46199

Exploit
  • EPSS 0.38%
  • Veröffentlicht 25.07.2025 18:15:26
  • Zuletzt bearbeitet 15.08.2025 14:32:27

Cross Site Scripting vulnerability in grav v.1.7.48 and before allows an attacker to execute arbitrary code via a crafted script to the form fields

8.8

CVE-2025-46198

Exploit
  • EPSS 0.2%
  • Veröffentlicht 25.07.2025 00:00:00
  • Zuletzt bearbeitet 20.08.2025 20:05:24

Cross Site Scripting vulnerability in grav v.1.7.48, v.1.7.47 and v.1.7.46 allows an attacker to execute arbitrary code via the onerror attribute of the img element

6.1

CVE-2024-35498

Exploit
  • EPSS 0.11%
  • Veröffentlicht 06.01.2025 19:15:12
  • Zuletzt bearbeitet 17.04.2025 02:36:22

A cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

9.9

CVE-2024-34082

Exploit
  • EPSS 0.21%
  • Veröffentlicht 15.05.2024 17:15:12
  • Zuletzt bearbeitet 02.01.2025 23:06:29

Grav is a file-based Web platform. Prior to version 1.7.46, a low privilege user account with page edit privilege can read any server files using Twig Syntax. This includes Grav user account files - `/grav/user/accounts/*.yaml`. This file stores hash...