Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network GET with no interaction (AV:N/AC:L/PR:N/UI:N); impact is limited to disclosure of version/path metadata, so C:L with no integrity or availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
The Grav Admin2 plugin (getgrav/grav-plugin-admin2) before 2.0.4 embeds a global JavaScript variable window.__GRAV_CONFIG__ in the Admin2 SPA bootstrap page at /grav/admin (and its subroutes). This object is returned in every unauthenticated response and discloses the server URL, API prefix, admin base path, runtime environment type, and exact Grav and Admin2 version numbers, allowing an unauthenticated attacker to fingerprint the deployment and select version-specific exploits without reconnaissance.
AnalysisAI
Information disclosure in the Grav Admin2 plugin (getgrav/grav-plugin-admin2) before 2.0.4 exposes a window.__GRAV_CONFIG__ JavaScript object on the /grav/admin SPA bootstrap page and its subroutes, leaking exact Grav and Admin2 version numbers, server URL, API prefix, admin base path, and runtime environment to any unauthenticated visitor. Reported by VulnCheck, the flaw lets remote unauthenticated attackers fingerprint a deployment and pre-select version-specific exploits with zero active reconnaissance. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that the Grav Admin2 plugin (version before 2.0.4) is installed and its administration SPA is network-reachable at /grav/admin or a subroute; the sensitive window.__GRAV_CONFIG__ object is returned in every unauthenticated response by default, so no special feature toggle or non-default configuration is needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H) scores 8.7 (High), reflecting trivial, unauthenticated, network-reachable exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker scanning the internet requests /grav/admin, reads the inlined window.__GRAV_CONFIG__ object from the returned HTML, and extracts the exact Grav and Admin2 version numbers plus internal paths. They cross-reference those versions against known CVEs and immediately launch a matching version-specific exploit, skipping the trial-and-error probing that would otherwise generate noise and delay. … |
| Remediation | Vendor-released patch: upgrade the Grav Admin2 plugin to version 2.0.4 or later, which is the primary and confirmed fix (see GHSA-pfjq-chp8-3vgh at https://github.com/getgrav/grav/security/advisories/GHSA-pfjq-chp8-3vgh). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Grav installations running the Admin2 plugin and document current versions; review access logs to /grav/admin for suspicious reconnaissance activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical
A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plug
Grav is a file-based Web platform. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low a
GravCMS 1.10.7 allows unauthenticated remote attackers to write arbitrary YAML configuration files, leading to full serv
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or e
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (S
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43184
GHSA-q4j8-3jf6-pjvp