Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable upload feature (AV:N/AC:L) requires an authenticated low-privilege account (PR:L); impact is pure disk-exhaustion DoS, so C:N/I:N/A:H with no scope change.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Grav before 2.0.1 contains a decompression bomb vulnerability in ZipArchiver::extract() that lacks limits on uncompressed size, file count, and nesting depth. Attackers can supply a crafted ZIP archive that expands to fill available disk space, causing denial of service by exhausting storage resources.
AnalysisAI
Denial of service in Grav CMS before 2.0.1 allows authenticated users to exhaust server storage by uploading a crafted ZIP archive (a decompression bomb) that the ZipArchiver::extract() routine expands without enforcing limits on uncompressed size, file count, or nesting depth. The CVSS 4.0 base score of 7.1 reflects a network-reachable, low-privilege flaw whose sole impact is high availability loss. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated account (CVSS PR:L) with permission to reach a Grav feature that invokes ZipArchiver::extract() - specifically the ZIP-based package/plugin/theme installation or backup-restore upload paths - and the ability to supply an attacker-controlled ZIP archive to one of those endpoints. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are internally consistent and point to a moderate, availability-only risk rather than a top-tier priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding a low-privilege authenticated account with access to Grav's upload or package-installation feature crafts a small ZIP decompression bomb (highly redundant data with deep nesting) and submits it to a function that calls ZipArchiver::extract(). Extraction proceeds without size or depth limits, expanding the archive until the server's disk fills, halting Grav and potentially other services on the same volume. … |
| Remediation | Vendor-released patch: Grav 2.0.1 - upgrade to version 2.0.1 or later, which adds limits to ZipArchiver::extract(), per the GitHub Security Advisory GHSA-928x-9mpw-8h56 (https://github.com/getgrav/grav/security/advisories/GHSA-928x-9mpw-8h56) and the VulnCheck advisory (https://www.vulncheck.com/advisories/grav-before-decompression-bomb-via-ziparchiver). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all Grav CMS production deployments and audit which user accounts have file upload privileges. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical
A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plug
Grav is a file-based Web platform. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low a
GravCMS 1.10.7 allows unauthenticated remote attackers to write arbitrary YAML configuration files, leading to full serv
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or e
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (S
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42904
GHSA-jxpj-m582-7727