Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

getgrav — Vulnerabilities & Security Advisories 61

Browse all 61 CVE security advisories affecting getgrav. AI-powered Chinese analysis, POCs, and references for each vulnerability.

GetGrav is a flat-file CMS designed for developers seeking a modern, flexible alternative to database-driven platforms. Its architecture eliminates traditional SQL dependencies, relying instead on YAML configuration and Markdown content. However, this design has historically exposed the platform to significant security risks, resulting in forty-seven recorded CVEs. Common vulnerability classes include Remote Code Execution (RCE), Cross-Site Scripting (XSS), and privilege escalation flaws, often stemming from inadequate input validation or insecure file handling mechanisms. Notable incidents have highlighted weaknesses in plugin ecosystems and core update processes, allowing attackers to execute arbitrary code or bypass authentication. While the flat-file structure offers performance benefits, it has also introduced unique attack vectors related to file permissions and serialization. Users must prioritize rigorous plugin auditing and timely patching to mitigate these persistent threats inherent in the system’s evolving codebase.

Top products by getgrav: grav getgrav/grav grav-plugin-admin getgrav/grav-plugin-admin GravCMS Grav CMS Admin Plugin grav-plugin-api grav-plugin-form
CVE IDTitleCVSSSeverityPublished
CVE-2025-66298 Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms — gravCWE-1336 5.3AIMediumAI2025-12-01
CVE-2025-66297 Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection — gravCWE-1336 7.2AIHighAI2025-12-01
CVE-2025-66296 Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover — gravCWE-266 8.8 High2025-12-01
CVE-2025-66294 Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass — gravCWE-94 7.2AIHighAI2025-12-01
CVE-2025-66295 Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption — gravCWE-22 8.8 High2025-12-01
CVE-2024-34082 Grav Arbitrary File Read to Account Takeover — gravCWE-269 8.5 High2024-05-15
CVE-2024-28119 Grav vulnerable to Server Side Template Injection (SSTI) via Twig escape handler — gravCWE-94 8.8 High2024-03-21
CVE-2024-28118 Grav vulnerable to Server Side Template Injection (SSTI) — gravCWE-94 8.8 High2024-03-21
CVE-2024-28117 Grav vulnerable to Server Side Template Injection (SSTI) — gravCWE-94 8.8 High2024-03-21
CVE-2024-28116 Server-Side Template Injection (SSTI) with Grav CMS security sandbox bypass — gravCWE-94 8.8 High2024-03-21
CVE-2024-27921 Grav File Upload Path Traversal vulnerability — gravCWE-22 8.8 High2024-03-21
CVE-2024-27923 Remote Code Execution by uploading a phar file using frontmatter — gravCWE-287 8.8 High2024-03-06
CVE-2023-37897 Server-side Template Injection (SSTI) in grav — gravCWE-74 7.2 High2023-07-18
CVE-2023-34452 Grav vulnerable to Self Cross Site Scripting in /forgot_password — gravCWE-79 5.4 Medium2023-06-14
CVE-2023-34448 Grav Server-side Template Injection (SSTI) via Twig Default Filters — gravCWE-20 8.8 High2023-06-14
CVE-2023-34253 Grav vulnerable to Server-side Template Injection (SSTI) via Denylist Bypass — gravCWE-184 8.8 High2023-06-14
CVE-2023-34252 Grav Server-side Template Injection via Insufficient Validation in filterFilter — gravCWE-184 8.8 High2023-06-14
CVE-2023-34251 Grav Server Side Template Injection vulnerability — gravCWE-94 10.0 Critical2023-06-14
CVE-2022-2073 Code Injection in getgrav/grav — getgrav/gravCWE-94 8.8 -2022-06-29
CVE-2022-1173 stored xss in getgrav/grav — getgrav/gravCWE-79 5.4 -2022-04-26
CVE-2022-0970 Cross-site Scripting (XSS) - Stored in getgrav/grav — getgrav/gravCWE-79 5.4 -2022-03-15
CVE-2022-0743 Cross-site Scripting (XSS) - Stored in getgrav/grav — getgrav/gravCWE-79 5.4 -2022-02-28
CVE-2022-0268 Cross-site Scripting (XSS) - Stored in getgrav/grav — getgrav/gravCWE-79 5.4 -2022-01-25
CVE-2021-3920 Cross-site Scripting (XSS) - Stored in getgrav/grav-plugin-admin — getgrav/grav-plugin-adminCWE-79 5.4 -2021-11-19
CVE-2021-3924 Path Traversal in getgrav/grav — getgrav/gravCWE-22 6.5 -2021-11-05
CVE-2021-3904 Cross-site Scripting (XSS) - Stored in getgrav/grav — getgrav/gravCWE-79 5.4 -2021-10-27
CVE-2021-3818 Reliance on Cookies without Validation and Integrity Checking in getgrav/grav — getgrav/gravCWE-565--2021-09-27
CVE-2021-3799 Improper Restriction of Rendered UI Layers or Frames in getgrav/grav-plugin-admin — getgrav/grav-plugin-adminCWE-1021 3.5 -2021-09-27
CVE-2021-29440 Twig allowing dangerous PHP functions by default — gravCWE-94 8.4 High2021-04-13
CVE-2021-29439 Plugins can be installed with minimal admin privileges — grav-plugin-adminCWE-863 7.2 High2021-04-13

This page lists every published CVE security advisory associated with getgrav. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.