CVE-2026-61454
Grav before 2.0.4 Information Disclosure via __GRAV_CONFIG__
Vexday Risk Score
18Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 8.7EPSS —KEV nãoPoC —Nuclei —Metasploit —Patch referenciado
Ciclo de vida
11 jul 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
The Grav Admin2 plugin (getgrav/grav-plugin-admin2) before 2.0.4 embeds a global JavaScript variable window.__GRAV_CONFIG__ in the Admin2 SPA bootstrap page at /grav/admin (and its subroutes). This object is returned in every unauthenticated response and discloses the server URL, API prefix, admin base path, runtime environment type, and exact Grav and Admin2 version numbers, allowing an unauthenticated attacker to fingerprint the deployment and select version-specific exploits without reconnaissance.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Produtos afetados
getgrav · grav