Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable admin upload (AV:N/AC:L), requires authenticated admin (PR:L), no UI; reads arbitrary files so C:H, but no write or DoS at base, so I:N/A:N.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Grav before 2.0.0-beta.2 contains an XML external entity injection vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexml_load_string without disabling external entity loading, enabling attackers to inject XXE payloads via malicious SVG files to exfiltrate sensitive data.
AnalysisAI
Arbitrary file disclosure in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated admin-panel users to read sensitive server files via XML External Entity (XXE) injection in SVG upload processing. The flaw stems from simplexml_load_string() being called without entity-loader protections, enabling exfiltration of credentials, configuration, and environment secrets. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires valid authenticated access to the Grav admin panel (CVSS PR:L) with permission to upload media via Pages → Media or the File Manager plugin, against a Grav installation older than 2.0.0-beta.2 where simplexml_load_string() processes SVG content without LIBXML_NONET or an entity-loading guard. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N) correctly characterizes the bug as network-reachable but requiring low-privilege authentication, with high confidentiality impact and no integrity or availability impact at the base level - a realistic 7.1. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained Grav admin credentials - through phishing, password reuse, or a separate vulnerability - logs into the admin panel, navigates to any page's Media tab, and uploads a crafted SVG containing a DOCTYPE declaration with a SYSTEM entity pointing at file:///srv/grav/user/accounts/admin.yaml. The server parses the SVG via simplexml_load_string(), inlines the file contents into the rendered/stored output, and the attacker harvests admin password hashes, 2FA seeds, and .env secrets to escalate to full host compromise. … |
| Remediation | Vendor-released patch: upgrade Grav to 2.0.0-beta.2 or later, which corresponds to upstream commit 5a12f9be8314682c8713e569e330f11805d0a663 (https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663); see the GHSA advisory at https://github.com/getgrav/grav/security/advisories/GHSA-3446-6mgw-f79p for full details. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: disable SVG upload functionality or restrict uploads to authenticated users only; audit admin account access logs for suspicious activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical
A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plug
GravCMS 1.10.7 allows unauthenticated remote attackers to write arbitrary YAML configuration files, leading to full serv
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or e
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (S
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A low privilege user account with page editing privilege can
Information disclosure in Grav CMS versions prior to 2.0.0-rc.2 allows authenticated users with admin.pages role to extr
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, having a simple form on site can reveal the whole Grav config
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A path traversal vulnerability has been identified in Grav CM
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, users with read access on the user account management section
Grav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page con
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38442
GHSA-32fw-h446-j4hh