Every CVE whose affected-product data names Getgrav Grav, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (56)
CVE-2023-34251 — CVSS 9.9 (critical): Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code…
CVE-2025-46199 — CVSS 9.8 (critical): Cross Site Scripting vulnerability in grav v.1.7.48 and before allows an attacker to execute arbitrary code via a crafted script to the…
CVE-2021-47812 — CVSS 9.8 (critical): GravCMS 1.10.7 contains an unauthenticated vulnerability that allows remote attackers to write arbitrary YAML configuration and execute PHP…
CVE-2025-66301 — CVSS 9.6 (critical): Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST…
CVE-2025-66844 — CVSS 9.1 (critical): In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig…
CVE-2026-42608 — CVSS 9.1 (critical): Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core component. By…
CVE-2026-42611 — CVSS 8.9 (high): Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the…
CVE-2023-34252 — CVSS 8.8 (high): Grav is a flat-file content management system. Prior to version 1.7.42, there is a logic flaw in the `GravExtension.filterFilter()`…
CVE-2026-42844 — CVSS 8.8 (high): Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse…
CVE-2024-28116 — CVSS 8.8 (high): Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template…
CVE-2024-28117 — CVSS 8.8 (high): Grav is an open-source, flat-file content management system. Prior to version 1.7.45, Grav validates accessible functions through the…
CVE-2024-28118 — CVSS 8.8 (high): Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension…
CVE-2024-28119 — CVSS 8.8 (high): Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension…
CVE-2025-66294 — CVSS 8.8 (high): Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows…
CVE-2025-46198 — CVSS 8.8 (high): Cross Site Scripting vulnerability in grav v.1.7.48, v.1.7.47 and v.1.7.46 allows an attacker to execute arbitrary code via the onerror…
CVE-2025-66299 — CVSS 8.8 (high): Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (SSTI) that allows…
CVE-2025-66297 — CVSS 8.8 (high): Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages in Grav…
CVE-2023-34253 — CVSS 8.8 (high): Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous…
CVE-2023-34448 — CVSS 8.8 (high): Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection…
CVE-2025-66296 — CVSS 8.8 (high): Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a privilege escalation vulnerability exists in Grav’s Admin plugin due to the…
CVE-2025-66295 — CVSS 8.8 (high): Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin…
CVE-2024-27921 — CVSS 8.8 (high): Grav is an open-source, flat-file content management system. A file upload path traversal vulnerability has been identified in the…
CVE-2024-27923 — CVSS 8.8 (high): Grav is a content management system (CMS). Prior to version 1.7.43, users who may write a page may use the `frontmatter` feature due to…
CVE-2025-66300 — CVSS 8.5 (high): Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A low privilege user account with page editing privilege can read any server…
CVE-2024-34082 — CVSS 8.5 (high): Grav is a file-based Web platform. Prior to version 1.7.46, a low privilege user account with page edit privilege can read any server files…
CVE-2026-42612 — CVSS 8.5 (high): Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a stored Cross-Site Scripting (XSS) vulnerability in getgrav/grav allows…
CVE-2021-29440 — CVSS 8.4 (high): Grav is a file based Web-platform. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to…
CVE-2026-42609 — CVSS 8.1 (high): Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged…
CVE-2025-50286 — CVSS 8.1 (high): A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the…
CVE-2026-44738 — CVSS 7.7 (high): Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call…
CVE-2026-29924 — CVSS 7.6 (high): Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload functionality in the admin panel and File…
CVE-2021-3924 — CVSS 7.5 (high): grav is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-66298 — CVSS 7.5 (high): Grav is a file-based Web platform. Prior to 1.8.0-beta.27, having a simple form on site can reveal the whole Grav configuration details…
CVE-2023-37897 — CVSS 7.2 (high): Grav is a file-based Web-platform built in PHP. Grav is subject to a server side template injection (SSTI) vulnerability. The fix for…
CVE-2025-66302 — CVSS 6.8 (medium): Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A path traversal vulnerability has been identified in Grav CMS, allowing…
CVE-2026-42610 — CVSS 6.5 (medium): Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permissions) can…
CVE-2025-66304 — CVSS 6.2 (medium): Grav is a file-based Web platform. Prior to 1.8.0-beta.27, users with read access on the user account management section of the admin panel…
CVE-2025-65186 — CVSS 6.1 (medium): Grav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page content via a Markdown…
CVE-2024-35498 — CVSS 6.1 (medium): A cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2020-11529 — CVSS 6.1 (medium): Common/Grav.php in Grav before 1.7 has an Open Redirect. This is partially fixed in 1.6.23 and still present in 1.6.x.
CVE-2023-31506 — CVSS 5.4 (medium): A cross-site scripting (XSS) vulnerability in Grav versions 1.7.44 and before, allows remote authenticated attackers to execute arbitrary…
CVE-2023-34452 — CVSS 5.4 (medium): Grav is a flat-file content management system. In versions 1.7.42 and prior, the "/forgot_password" page has a self-reflected cross-site…
CVE-2021-3904 — CVSS 5.4 (medium): grav is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-37256 — CVSS 5.4 (medium): Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Privileged…
CVE-2025-66843 — CVSS 5.4 (medium): grav before v1.7.49.5 has a Stored Cross-Site Scripting (Stored XSS) vulnerability in the page editing functionality. An authenticated…
CVE-2025-66305 — CVSS 4.9 (medium): Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Denial of Service (DoS) vulnerability was identified in the "Languages"…
CVE-2025-66303 — CVSS 4.9 (medium): Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A Denial of Service (DoS) vulnerability has been identified in Grav related to…
CVE-2026-42841 — CVSS 4.8 (medium): Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable…
CVE-2025-66306 — CVSS 4.3 (medium): Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR (Insecure Direct Object Reference) vulnerability in the Grav…