CVE-2026-44738

< 2.0.0

Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to

7.7HIGH

CVE-2026-42841

<= 1.8.0

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an execut

4.8MEDIUM

CVE-2026-42612

<= 1.8.0

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a stored Cross-Site Scripting (XSS) vulnerability in getgrav/grav allows

8.5HIGH

CVE-2026-42611

<= 1.8.0

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS

8.9HIGH

CVE-2026-42610

<= 1.8.0

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permiss

6.5MEDIUM

CVE-2026-42609

<= 1.8.0

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-priv

8.1HIGH

CVE-2026-42608

< 2.0.0

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core compon

9.1CRITICAL

CVE-2026-29924

< 1.8.0

Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload functionality in the admin panel

7.6HIGH

CVE-2021-47812

all versions

GravCMS 1.10.7 contains an unauthenticated vulnerability that allows remote attackers to write arbitrary YAML configuration and ex

9.8CRITICAL

CVE-2025-66844

< 1.7.49.5

In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed

9.1CRITICAL

CVE-2025-66843

< 1.7.49.5

grav before v1.7.49.5 has a Stored Cross-Site Scripting (Stored XSS) vulnerability in the page editing functionality. An authentic

5.4MEDIUM

CVE-2025-65186

all versions

Grav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page content via a

6.1MEDIUM

CVE-2025-66312

<= 1.10.50

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify

5.4MEDIUM

CVE-2025-66311

<= 1.10.50

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify

5.4MEDIUM

CVE-2025-66310

<= 1.10.50

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify

5.4MEDIUM

CVE-2025-66309

<= 1.10.50

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify

6.1MEDIUM

CVE-2025-66308

<= 1.10.50

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify

5.4MEDIUM

CVE-2025-66307

<= 1.10.50

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify

6.5MEDIUM

CVE-2025-66306

>= 1.7.48 and < 1.8.0

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR (Insecure Direct Object Reference) vulnerability in th

4.3MEDIUM

CVE-2025-66305

>= 1.7.48 and < 1.8.0

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Denial of Service (DoS) vulnerability was identified in the "Language

4.9MEDIUM

CVE-2025-66304

>= 1.7.46 and < 1.8.0

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, users with read access on the user account management section of the ad

6.2MEDIUM

CVE-2025-66303

< 1.8.0

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A Denial of Service (DoS) vulnerability has been identified in Grav rel

4.9MEDIUM

CVE-2025-66302

< 1.8.0

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A path traversal vulnerability has been identified in Grav CMS, allowin

6.8MEDIUM

CVE-2025-66301

< 1.8.0

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on

9.6CRITICAL

CVE-2025-66300

< 1.8.0

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A low privilege user account with page editing privilege can read any s

8.5HIGH

CVE-2025-66299

< 1.8.0

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (SSTI) that

8.8HIGH

CVE-2025-66298

< 1.8.0

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, having a simple form on site can reveal the whole Grav configuration de

7.5HIGH

CVE-2025-66297

< 1.8.0

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages

8.8HIGH

CVE-2025-66296

>= 1.7.49.5 and < 1.8.0

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a privilege escalation vulnerability exists in Grav’s Admin plugin du

8.8HIGH

CVE-2025-66295

>= 1.7.49.5 and < 1.8.0

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through

8.8HIGH

CVE-2025-66294

>= 1.7.48 and < 1.8.0

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav th

8.8HIGH

CVE-2025-63593

all versions

Grav CMS1.7.49.5 is vulnerable to Cross Site Scripting (XSS).

6.1MEDIUM

CVE-2025-50286

all versions

A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the

8.1HIGH

CVE-2025-46198

>= 1.7.46 and <= 1.7.48

Cross Site Scripting vulnerability in grav v.1.7.48, v.1.7.47 and v.1.7.46 allows an attacker to execute arbitrary code via the on

8.8HIGH

CVE-2025-46199

<= 1.7.48

Cross Site Scripting vulnerability in grav v.1.7.48 and before allows an attacker to execute arbitrary code via a crafted script t

9.8CRITICAL

CVE-2024-35498

all versions

A cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted

6.1MEDIUM

CVE-2024-34082

< 1.7.46

Grav is a file-based Web platform. Prior to version 1.7.46, a low privilege user account with page edit privilege can read any ser

8.5HIGH

CVE-2024-28119

< 1.7.45

Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig exten

8.8HIGH

CVE-2024-28118

< 1.7.45

Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig exten

8.8HIGH

CVE-2024-28117

< 1.7.45

Grav is an open-source, flat-file content management system. Prior to version 1.7.45, Grav validates accessible functions through

8.8HIGH

CVE-2024-28116

< 1.7.45

Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Templ

8.8HIGH

CVE-2024-27921

< 1.7.45

Grav is an open-source, flat-file content management system. A file upload path traversal vulnerability has been identified in the

8.8HIGH

CVE-2024-27923

< 1.7.43

Grav is a content management system (CMS). Prior to version 1.7.43, users who may write a page may use the frontmatter feature d

8.8HIGH

CVE-2023-31506

<= 1.7.44

A cross-site scripting (XSS) vulnerability in Grav versions 1.7.44 and before, allows remote authenticated attackers to execute ar

5.4MEDIUM

CVE-2023-37897

all versions

Grav is a file-based Web-platform built in PHP. Grav is subject to a server side template injection (SSTI) vulnerability. The fix

7.2HIGH

CVE-2023-34452

<= 1.7.42

Grav is a flat-file content management system. In versions 1.7.42 and prior, the "/forgot_password" page has a self-reflected cros

5.4MEDIUM

CVE-2023-34448

< 1.7.42

Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template inject

8.8HIGH

CVE-2023-34253

< 1.7.42

Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent danger

8.8HIGH

CVE-2023-34252

< 1.7.42

Grav is a flat-file content management system. Prior to version 1.7.42, there is a logic flaw in the `GravExtension.filterFilter()

8.8HIGH

CVE-2023-34251

< 1.7.42

Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote c

9.9CRITICAL

CVE-2022-2073

< 1.7.34

Code Injection in GitHub repository getgrav/grav prior to 1.7.34.

7.2HIGH

CVE-2022-1173

< 1.7.33

stored xss in GitHub repository getgrav/grav prior to 1.7.33.

5.4MEDIUM

CVE-2022-0970

< 1.7.31

Cross-site Scripting (XSS) - Stored in GitHub repository getgrav/grav prior to 1.7.31.

5.4MEDIUM

CVE-2022-0743

< 1.7.31

Cross-site Scripting (XSS) - Stored in GitHub repository getgrav/grav prior to 1.7.31.

4.6MEDIUM

CVE-2022-0268

< 1.7.28

Cross-site Scripting (XSS) - Stored in Packagist getgrav/grav prior to 1.7.28.

5.4MEDIUM

CVE-2021-3920

< 1.10.25

grav-plugin-admin is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4MEDIUM

CVE-2021-3924

<= 1.7.24

grav is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

7.5HIGH

CVE-2021-3904

< 1.7.24

grav is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4MEDIUM

CVE-2021-3818

< 1.7.22

grav is vulnerable to Reliance on Cookies without Validation and Integrity Checking

5.3MEDIUM

CVE-2021-3799

< 1.10.20

grav-plugin-admin is vulnerable to Improper Restriction of Rendered UI Layers or Frames

5.4MEDIUM

CVE-2021-29440

< 1.7.11

Grav is a file based Web-platform. Twig processing of static pages can be enabled in the front matter by any administrative user a

8.4HIGH

CVE-2021-21425

< 1.10.8

Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages. In versions 1.10.7

9.3CRITICAL

CVE-2020-11529

<= 1.6.31

Common/Grav.php in Grav before 1.7 has an Open Redirect. This is partially fixed in 1.6.23 and still present in 1.6.x.

6.1MEDIUM