Security Advisories - getgrav/grav

getgrav/grav Security Advisories for 1.6.22 (49)

[MEDIUM] Grav CMS is vulnerable to Cross Site Scripting (XSS) in the page editor

PKSA-1qqp-d2tf-94bx CVE-2025-65186 GHSA-cchq-397m-q2qm

Affected version: <=1.7.49

Reported by:
GitHub
[HIGH] Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms

PKSA-b17c-1fcn-dgtx CVE-2025-66298 GHSA-8535-hvm8-2hmv

Affected version: <1.8.0-beta.27

Reported by:
GitHub
[HIGH] Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass

PKSA-cyrn-zc8g-f5mw CVE-2025-66294 GHSA-662m-56v4-3r8f

Affected version: <1.8.0-beta.27

Reported by:
GitHub
[MEDIUM] Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced Tab

PKSA-6ybw-qvkx-41s3 CVE-2025-66310 GHSA-7g78-5g5g-mvfj

Affected version: <1.8.0-beta.27

Reported by:
GitHub
[MEDIUM] Grav is vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab

PKSA-fhbw-8kkc-q4g7 CVE-2025-66309 GHSA-65mj-f7p4-wggq

Affected version: <1.8.0-beta.27

Reported by:
GitHub
[HIGH] Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection

PKSA-69s1-6gdk-gbrs CVE-2025-66297 GHSA-858q-77wx-hhx6

Affected version: <1.8.0-beta.27

Reported by:
GitHub
[MEDIUM] Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`

PKSA-j9sn-rww3-fk26 CVE-2025-66308 GHSA-gqxx-248x-g29f

Affected version: <1.8.0-beta.27

Reported by:
GitHub
[HIGH] Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption

PKSA-87p7-31n6-n4f3 CVE-2025-66295 GHSA-h756-wh59-hhjv

Affected version: <1.8.0-beta.27

Reported by:
GitHub
[HIGH] Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter

PKSA-nbf5-vjfz-hnnq CVE-2025-66305 GHSA-m8vh-v6r6-w7p6

Affected version: <1.8.0-beta.27

Reported by:
GitHub
[MEDIUM] Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel

PKSA-rdds-1cns-2prg CVE-2025-66306 GHSA-4cwq-j7jv-qmwg

Affected version: <1.8.0-beta.27

Reported by:
GitHub
[MEDIUM] Grav vulnerable to Path Traversal allowing server files backup

PKSA-pps4-ft6r-rq3g CVE-2025-66302 GHSA-j422-qmxp-hv94

Affected version: <1.8.0-beta.27

Reported by:
GitHub
[MEDIUM] Grav Admin Plugin vulnerable to User Enumeration & Email Disclosure

PKSA-kdts-d57h-cyfm CVE-2025-66307 GHSA-q3qx-cp62-f6m7

Affected version: <1.8.0-beta.27

Reported by:
GitHub
[MEDIUM] Grav Admin Plugin is vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]`

PKSA-w4p2-x7q2-ymxv CVE-2025-66312 GHSA-rmw5-f87r-w988

Affected version: <1.8.0-beta.27

Reported by:
GitHub
[MEDIUM] Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters

PKSA-mhn3-t14t-g84c CVE-2025-66311 GHSA-mpjj-4688-3fxg

Affected version: <1.11.0-beta.1

Reported by:
GitHub
[MEDIUM] Grav Exposes Password Hashes Leading to privilege escalation

PKSA-gsfs-x94c-47x5 CVE-2025-66304 GHSA-gq3g-666w-7h85

Affected version: <1.8.0-beta.27

Reported by:
GitHub
[MEDIUM] Grav is vulnerable to a DOS on the admin panel

PKSA-v47z-3557-jjwp CVE-2025-66303 GHSA-x62q-p736-3997

Affected version: <1.8.0-beta.27

Reported by:
GitHub
[HIGH] Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions

PKSA-8gyx-1dyf-y75r CVE-2025-66301 GHSA-v8x2-fjv7-8hjh

Affected version: <1.8.0-beta.27

Reported by:
GitHub
[HIGH] Grav is vulnerable to Arbitrary File Read

PKSA-82ft-1nmh-cs67 CVE-2025-66300 GHSA-p4ww-mcp9-j6f2

Affected version: <1.8.0-beta.27

Reported by:
GitHub
[HIGH] Grav is Vulnerable to Security Sandbox Bypass with SSTI (Server Side Template Injection)

PKSA-83gv-619f-b6h7 CVE-2025-66299 GHSA-gjc5-8cfh-653x

Affected version: <1.8.0-beta.27

Reported by:
GitHub
[HIGH] Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover

PKSA-h4jv-pmqx-9phz CVE-2025-66296 GHSA-cjcp-qxvg-4rjm

Affected version: <1.8.0-beta.27

Reported by:
GitHub
[LOW] Grav Cross-site Scripting vulnerability

PKSA-gkwz-nwsv-cbwb CVE-2024-35498 GHSA-m78c-qx99-mvw9

Affected version: <=1.7.45

Reported by:
GitHub
[HIGH] Grav Vulnerable to Arbitrary File Read to Account Takeover

PKSA-dfbv-gg3q-6zkv CVE-2024-34082 GHSA-f8v5-jmfh-pr69

Affected version: <1.7.46

Reported by:
GitHub
[HIGH] Server Side Template Injection (SSTI) via Twig escape handler

PKSA-qk36-vv6t-rpy1 CVE-2024-28119 GHSA-2m7x-c7px-hp58

Affected version: <1.7.45

Reported by:
GitHub
[HIGH] Server Side Template Injection (SSTI)

PKSA-4zrd-fzvb-s4j9 CVE-2024-28118 GHSA-r6vw-8v8r-pmp4

Affected version: <1.7.45

Reported by:
GitHub
[HIGH] Server Side Template Injection (SSTI)

PKSA-md79-czmr-hzqq CVE-2024-28117 GHSA-qfv4-q44r-g7rv

Affected version: <1.7.45

Reported by:
GitHub
[HIGH] Server-Side Template Injection (SSTI) with Grav CMS security sandbox bypass

PKSA-3xkc-2rqf-2zr3 CVE-2024-28116 GHSA-c9gp-64c4-2rrh

Affected version: <1.7.45

Reported by:
GitHub
[HIGH] Grav File Upload Path Traversal

PKSA-k12q-kcf1-m3gr CVE-2024-27921 GHSA-m7hx-hw6h-mqmc

Affected version: <1.7.45

Reported by:
GitHub
[CRITICAL] Remote Code Execution by uploading a phar file using frontmatter

PKSA-s32r-k9tt-xp19 CVE-2024-27923 GHSA-f6g2-h7qv-3m5v

Affected version: <1.7.43

Reported by:
GitHub
[MEDIUM] Cross-site scripting (XSS) vulnerability in Grav

PKSA-b2jk-phpd-zxp3 CVE-2023-31506 GHSA-xrf8-cmrg-7436

Affected version: <1.7.44

Reported by:
GitHub
[HIGH] grav Server-side Template Injection (SSTI) mitigation bypass

PKSA-dtsr-c39p-kd8y CVE-2023-37897 GHSA-9436-3gmp-4f53

Affected version: <=1.7.42.1

Reported by:
GitHub
[HIGH] Grav Server-side Template Injection (SSTI) via Twig Default Filters

PKSA-qff4-p3t5-hhpv CVE-2023-34448 GHSA-whr7-m3f8-mpm8

Affected version: <1.7.42

Reported by:
GitHub
[HIGH] Grav Server-side Template Injection (SSTI) via Denylist Bypass Vulnerability

PKSA-728s-msrd-5k9y CVE-2023-34253 GHSA-j3v8-v77f-fvgm

Affected version: <1.7.42

Reported by:
GitHub
[HIGH] Grav Server-side Template Injection (SSTI) via Twig Default Filters

PKSA-czz7-ybjd-h94w CVE-2023-34252 GHSA-96xv-rmwj-6p9w

Affected version: <1.7.42

Reported by:
GitHub
[CRITICAL] Grav Server Side Template Injection (SSTI) vulnerability

PKSA-n6nv-g9gv-59mq CVE-2023-34251 GHSA-f9jf-4cp4-4fq5

Affected version: <1.7.42

Reported by:
GitHub
[HIGH] Code injection in grav

PKSA-h22v-p71y-45m3 CVE-2022-2073 GHSA-cxgw-r5jg-7xwq

Affected version: <1.7.34

Reported by:
GitHub
[HIGH] Grav CMS Cross-Site Request Forgery (CSRF)

PKSA-2p1j-dmf2-d31s CVE-2020-29553 GHSA-fqff-vcvx-68h3

Affected version: <1.6.30|>=1.7.0-beta.1,<=1.7.0-rc.17

Reported by:
GitHub
[HIGH] Grav CMS Arbitrary File Deletion

PKSA-6yvg-f1gg-wxgv CVE-2020-29555 GHSA-gpmf-q5jh-hjx4

Affected version: <1.6.30|>=1.7.0-beta.1,<=1.7.0-rc.17

Reported by:
GitHub
[MEDIUM] Grav CMS Local File Injection

PKSA-8kbr-mb2p-47pd CVE-2020-29556 GHSA-r3rg-jrjq-w4mr

Affected version: <1.6.30|>=1.7.0-beta.1,<=1.7.0-rc.17

Reported by:
GitHub
[MEDIUM] Stored cross site scripting in getgrav/grav

PKSA-8hgq-58j8-2r94 CVE-2022-1173 GHSA-3p5m-j98p-c698

Affected version: <1.7.33

Reported by:
GitHub
[HIGH] Stored Cross-site Scripting in grav

PKSA-tr2h-7v8b-81ts CVE-2022-0970 GHSA-r6hh-5g3q-wwgc

Affected version: <1.7.31

Reported by:
GitHub
[MEDIUM] Cross site scripting in getgrav/grav

PKSA-b4mw-jq78-tcbr CVE-2022-0743 GHSA-2p89-ppc2-mrq4

Affected version: <1.7.31

Reported by:
GitHub
[MEDIUM] Cross-site Scripting in grav

PKSA-vqg2-497k-m3wg CVE-2022-0268 GHSA-735v-wx75-xmmm

Affected version: <1.7.28

Reported by:
GitHub
[MEDIUM] Open Redirect in Grav

PKSA-t4fn-8yhd-81q4 CVE-2020-11529 GHSA-wrxc-mr2w-cjpv

Affected version: <1.6.23

Reported by:
GitHub
[HIGH] Path traversal in grav

PKSA-9xzb-d7b7-mcmc CVE-2021-3924 GHSA-8c5p-4362-9333

Affected version: <=1.7.24

Reported by:
GitHub
[MEDIUM] Cross-Site Scripting in grav

PKSA-y8bw-fn2v-ndyh CVE-2021-3904 GHSA-5jxc-hmqf-3f73

Affected version: <1.7.24

Reported by:
GitHub
[MEDIUM] Reliance on Cookies without Validation and Integrity Checking in getgrav/grav

PKSA-4ky1-h6sk-d69f CVE-2021-3818 GHSA-cg3q-59w7-rvc2

Affected version: <1.7.21

Reported by:
GitHub
[HIGH] Grav's Twig processing allowing dangerous PHP functions by default

PKSA-zfmm-zsx8-rxf1 CVE-2021-29440 GHSA-g8r4-p96j-xfxc

Affected version: <=1.7.10

Reported by:
GitHub
[MEDIUM] Cross-Site Scripting in Grav

PKSA-qj1n-7jvb-xy2y GHSA-cvmr-6428-87w9

Affected version: <1.6.30

Reported by:
GitHub
[MEDIUM] Cross-site Scripting in Grav

PKSA-b9pb-c1xy-1cn5 CVE-2019-16126 GHSA-6268-v434-45m5

Affected version: <=1.7.0-beta.7

Reported by:
GitHub

getgrav/grav Security Advisories for 1.6.22 (49)

[MEDIUM] Grav CMS is vulnerable to Cross Site Scripting (XSS) in the page editor

[HIGH] Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms

[HIGH] Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass

[MEDIUM] Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced Tab

[MEDIUM] Grav is vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab

[HIGH] Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection

[MEDIUM] Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`

[HIGH] Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption

[HIGH] Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter

[MEDIUM] Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel

[MEDIUM] Grav vulnerable to Path Traversal allowing server files backup

[MEDIUM] Grav Admin Plugin vulnerable to User Enumeration & Email Disclosure

[MEDIUM] Grav Admin Plugin is vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]`

[MEDIUM] Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters

[MEDIUM] Grav Exposes Password Hashes Leading to privilege escalation

[MEDIUM] Grav is vulnerable to a DOS on the admin panel

[HIGH] Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions

[HIGH] Grav is vulnerable to Arbitrary File Read

[HIGH] Grav is Vulnerable to Security Sandbox Bypass with SSTI (Server Side Template Injection)

[HIGH] Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover

[LOW] Grav Cross-site Scripting vulnerability

[HIGH] Grav Vulnerable to Arbitrary File Read to Account Takeover

[HIGH] Server Side Template Injection (SSTI) via Twig escape handler

[HIGH] Server Side Template Injection (SSTI)

[HIGH] Server Side Template Injection (SSTI)

[HIGH] Server-Side Template Injection (SSTI) with Grav CMS security sandbox bypass

[HIGH] Grav File Upload Path Traversal

[CRITICAL] Remote Code Execution by uploading a phar file using frontmatter

[MEDIUM] Cross-site scripting (XSS) vulnerability in Grav

[HIGH] grav Server-side Template Injection (SSTI) mitigation bypass

[HIGH] Grav Server-side Template Injection (SSTI) via Twig Default Filters

[HIGH] Grav Server-side Template Injection (SSTI) via Denylist Bypass Vulnerability

[HIGH] Grav Server-side Template Injection (SSTI) via Twig Default Filters

[CRITICAL] Grav Server Side Template Injection (SSTI) vulnerability

[HIGH] Code injection in grav

[HIGH] Grav CMS Cross-Site Request Forgery (CSRF)

[HIGH] Grav CMS Arbitrary File Deletion

[MEDIUM] Grav CMS Local File Injection

[MEDIUM] Stored cross site scripting in getgrav/grav

[HIGH] Stored Cross-site Scripting in grav

[MEDIUM] Cross site scripting in getgrav/grav

[MEDIUM] Cross-site Scripting in grav

[MEDIUM] Open Redirect in Grav

[HIGH] Path traversal in grav

[MEDIUM] Cross-Site Scripting in grav

[MEDIUM] Reliance on Cookies without Validation and Integrity Checking in getgrav/grav

[HIGH] Grav's Twig processing allowing dangerous PHP functions by default

[MEDIUM] Cross-Site Scripting in Grav

[MEDIUM] Cross-site Scripting in Grav