Skip to main content

Grav Admin2 CVE-2026-61454

| EUVDEUVD-2026-43184 HIGH
Information Exposure (CWE-200)
2026-07-11 VulnCheck GHSA-q4j8-3jf6-pjvp
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Unauthenticated network GET with no interaction (AV:N/AC:L/PR:N/UI:N); impact is limited to disclosure of version/path metadata, so C:L with no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 11, 2026 - 15:01 EUVD
Analysis Generated
Jul 11, 2026 - 13:51 vuln.today

DescriptionCVE.org

The Grav Admin2 plugin (getgrav/grav-plugin-admin2) before 2.0.4 embeds a global JavaScript variable window.__GRAV_CONFIG__ in the Admin2 SPA bootstrap page at /grav/admin (and its subroutes). This object is returned in every unauthenticated response and discloses the server URL, API prefix, admin base path, runtime environment type, and exact Grav and Admin2 version numbers, allowing an unauthenticated attacker to fingerprint the deployment and select version-specific exploits without reconnaissance.

AnalysisAI

Information disclosure in the Grav Admin2 plugin (getgrav/grav-plugin-admin2) before 2.0.4 exposes a window.__GRAV_CONFIG__ JavaScript object on the /grav/admin SPA bootstrap page and its subroutes, leaking exact Grav and Admin2 version numbers, server URL, API prefix, admin base path, and runtime environment to any unauthenticated visitor. Reported by VulnCheck, the flaw lets remote unauthenticated attackers fingerprint a deployment and pre-select version-specific exploits with zero active reconnaissance. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Locate exposed /grav/admin endpoint
Delivery
Send unauthenticated HTTP GET
Exploit
Parse inlined window.__GRAV_CONFIG__ object
Execution
Extract Grav and Admin2 versions and paths
Impact
Select version-specific exploit for follow-on attack

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the Grav Admin2 plugin (version before 2.0.4) is installed and its administration SPA is network-reachable at /grav/admin or a subroute; the sensitive window.__GRAV_CONFIG__ object is returned in every unauthenticated response by default, so no special feature toggle or non-default configuration is needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H) scores 8.7 (High), reflecting trivial, unauthenticated, network-reachable exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker scanning the internet requests /grav/admin, reads the inlined window.__GRAV_CONFIG__ object from the returned HTML, and extracts the exact Grav and Admin2 version numbers plus internal paths. They cross-reference those versions against known CVEs and immediately launch a matching version-specific exploit, skipping the trial-and-error probing that would otherwise generate noise and delay. …
Remediation Vendor-released patch: upgrade the Grav Admin2 plugin to version 2.0.4 or later, which is the primary and confirmed fix (see GHSA-pfjq-chp8-3vgh at https://github.com/getgrav/grav/security/advisories/GHSA-pfjq-chp8-3vgh). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Grav installations running the Admin2 plugin and document current versions; review access logs to /grav/admin for suspicious reconnaissance activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Grav

View all
CVE-2025-66294 HIGH POC
8.8 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists

CVE-2025-66301 CRITICAL POC
9.6 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical

CVE-2025-50286 HIGH POC
8.1 Aug 06

A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plug

CVE-2024-34082 CRITICAL POC
9.9 May 15

Grav is a file-based Web platform. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low a

CVE-2021-47812 CRITICAL POC
9.8 Jan 16

GravCMS 1.10.7 allows unauthenticated remote attackers to write arbitrary YAML configuration files, leading to full serv

CVE-2025-66297 HIGH POC
8.8 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or e

CVE-2025-66299 HIGH POC
8.8 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (S

CVE-2024-28119 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2024-28118 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2024-28117 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2024-28116 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2024-27921 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

Share

CVE-2026-61454 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy