Skip to main content

Grav CMS CVE-2026-61449

| EUVDEUVD-2026-44647 HIGH
Improper Handling of Highly Compressed Data (Data Amplification) (CWE-409)
2026-07-15 VulnCheck GHSA-v626-428r-43p8
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.5 MEDIUM

Requires admin/operator upload or a trusted package source (PR:H) and an operator action to trigger extraction (UI:R); impact is availability-only disk/inode exhaustion (A:H).

3.1 AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jul 15, 2026 - 13:03 EUVD
Analysis Generated
Jul 15, 2026 - 12:22 vuln.today
CVE Published
Jul 15, 2026 - 11:25 cve.org
HIGH 7.1

DescriptionCVE.org

Grav 2.0.1 contains a decompression-bomb size-cap bypass in ZipArchiver and GPM\Installer. The size bound introduced in 2.0.1 sums the uncompressed size declared in each entry's ZIP central-directory header (ZipArchive::statIndex()['size']) and rejects archives exceeding system.gpm.archive.max_uncompressed_size before extraction. Because this declared size is attacker-forgeable and is not cross-checked against the actual inflated stream, a crafted archive declaring tiny per-entry sizes passes the cap while extractTo() writes the real, much larger content, filling disk or exhausting inodes. The archive must be supplied by a package source or admin upload (admin/operator trust). Fixed in 2.0.2. This is an incomplete fix for GHSA-928x-9mpw-8h56.

AnalysisAI

Denial of service in Grav CMS 2.0.1 lets a trusted package source or admin-level uploader bypass the newly added decompression-bomb size cap and exhaust disk space or inodes on the host. The 2.0.1 cap trusts the attacker-forgeable uncompressed size declared in each ZIP central-directory entry rather than the actual inflated stream, so a crafted archive declaring tiny sizes slips past the check while extraction writes the real, far larger payload. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain admin upload rights or control a GPM package source
Delivery
Craft ZIP with forged tiny central-directory sizes
Exploit
Submit archive, passing 2.0.1 size cap
Execution
extractTo() inflates real oversized content
Impact
Disk/inode exhaustion, site denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires the ability to deliver a crafted ZIP archive through a trusted channel - either an admin/operator upload via the Grav admin panel or a package source consumed by GPM\Installer - so an untrusted, fully unauthenticated attacker cannot reach the sink in a default configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 score of 7.1 (VA:H, availability-only) reflects a pure resource-exhaustion outcome - no confidentiality or integrity impact - and the vector's PR:N conflicts with the description, which explicitly states the archive must come from a package source or admin/operator upload. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An operator with admin upload rights, or a malicious/compromised GPM package source, offers a plugin archive whose ZIP entries declare only a few kilobytes each so it passes Grav 2.0.1's max_uncompressed_size check. When the admin installs it, extractTo() inflates the entries into gigabytes of real data, filling the disk or exhausting inodes and taking the site offline. …
Remediation Upgrade to Grav 2.0.2, which cross-checks the actual inflated stream size against the cap instead of trusting the declared central-directory sizes (Vendor-released patch: 2.0.2; see GHSA-8h9x-89f2-m7x3). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all systems running Grav CMS 2.0.1 and initiate upgrade to version 2.0.2. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Grav

View all
CVE-2025-66294 HIGH POC
8.8 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists

CVE-2025-66301 CRITICAL POC
9.6 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical

CVE-2025-50286 HIGH POC
8.1 Aug 06

A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plug

CVE-2024-34082 CRITICAL POC
9.9 May 15

Grav is a file-based Web platform. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low a

CVE-2021-47812 CRITICAL POC
9.8 Jan 16

GravCMS 1.10.7 allows unauthenticated remote attackers to write arbitrary YAML configuration files, leading to full serv

CVE-2025-66297 HIGH POC
8.8 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or e

CVE-2025-66299 HIGH POC
8.8 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (S

CVE-2024-28119 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2024-28118 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2024-28117 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2024-28116 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2024-27921 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

Share

CVE-2026-61449 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy