Vulnerabilities in Getgrav
61 resultsCVE-2025-66300HIGHGrav is vulnerable to Arbitrary File ReadEPSS 0.4%CVE-2025-66304MEDIUMGrav Exposes Password Hashes Leading to privilege escalationEPSS 0.4%CVE-2026-42843HIGHgrav-plugin-api: Grav API Privilege Escalation to Super AdminEPSS 0.4%CVE-2026-42844HIGHGrav: Low-privileged API users can create super-admin accounts via blueprint-uploadEPSS 0.3%CVE-2025-66303MEDIUMGrav is vulnerable to a DOS on the admin panelEPSS 0.3%CVE-2025-66305MEDIUMGrav vulnerable to Denial of Service via Improper Input Handling in 'Supported' ParameterEPSS 0.3%CVE-2025-66298HIGHGrav is vulnerable to Server-Side Template Injection (SSTI) via FormsEPSS 0.3%CVE-2026-42611HIGHGrav: Stored XSS via Tag InjectionEPSS 0.3%CVE-2026-42610MEDIUMGrav: Sensitive Information Disclosure via Accounts Service BypassEPSS 0.3%CVE-2026-44738HIGHGrav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()EPSS 0.3%CVE-2025-66307MEDIUMGrav Admin Plugin vulnerable to User Enumeration & Email DisclosureEPSS 0.3%CVE-2025-66296HIGHGrav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account TakeoverEPSS 0.3%CVE-2026-44737MEDIUMgrav-plugin-admin: Stored Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][title]EPSS 0.3%CVE-2025-66306MEDIUMGrav vulnerable to Information Disclosure via IDOR in Grav Admin PanelEPSS 0.3%CVE-2026-42612HIGHGrav: Publisher-Level Stored XSS via Unquoted Event AttributesEPSS 0.2%CVE-2025-66309MEDIUMGrav vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tabEPSS 0.2%CVE-2025-66308MEDIUMGrav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`EPSS 0.2%CVE-2025-66312MEDIUMGrav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]`EPSS 0.2%CVE-2025-66310MEDIUMGrav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced TabEPSS 0.2%CVE-2025-66311MEDIUMGrav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parametersEPSS 0.2%