Skip to main content

Grav CMS EUVDEUVD-2026-38442

| CVE-2026-56701 HIGH
Improper Restriction of XML External Entity Reference (CWE-611)
2026-06-23 VulnCheck GHSA-32fw-h446-j4hh
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable admin upload (AV:N/AC:L), requires authenticated admin (PR:L), no UI; reads arbitrary files so C:H, but no write or DoS at base, so I:N/A:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 23, 2026 - 14:17 EUVD
Source Code Evidence Fetched
Jun 23, 2026 - 13:06 vuln.today
Analysis Generated
Jun 23, 2026 - 13:06 vuln.today

DescriptionCVE.org

Grav before 2.0.0-beta.2 contains an XML external entity injection vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexml_load_string without disabling external entity loading, enabling attackers to inject XXE payloads via malicious SVG files to exfiltrate sensitive data.

AnalysisAI

Arbitrary file disclosure in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated admin-panel users to read sensitive server files via XML External Entity (XXE) injection in SVG upload processing. The flaw stems from simplexml_load_string() being called without entity-loader protections, enabling exfiltration of credentials, configuration, and environment secrets. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain Grav admin credentials
Delivery
Log into admin panel
Exploit
Craft SVG with XXE SYSTEM entity
Install
Upload via Pages Media tab
C2
Server parses SVG with simplexml_load_string
Execute
Exfiltrate /etc/passwd and user/accounts YAML
Impact
Escalate using harvested secrets

Vulnerability AssessmentAI

Exploitation Requires valid authenticated access to the Grav admin panel (CVSS PR:L) with permission to upload media via Pages → Media or the File Manager plugin, against a Grav installation older than 2.0.0-beta.2 where simplexml_load_string() processes SVG content without LIBXML_NONET or an entity-loading guard. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N) correctly characterizes the bug as network-reachable but requiring low-privilege authentication, with high confidentiality impact and no integrity or availability impact at the base level - a realistic 7.1. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained Grav admin credentials - through phishing, password reuse, or a separate vulnerability - logs into the admin panel, navigates to any page's Media tab, and uploads a crafted SVG containing a DOCTYPE declaration with a SYSTEM entity pointing at file:///srv/grav/user/accounts/admin.yaml. The server parses the SVG via simplexml_load_string(), inlines the file contents into the rendered/stored output, and the attacker harvests admin password hashes, 2FA seeds, and .env secrets to escalate to full host compromise. …
Remediation Vendor-released patch: upgrade Grav to 2.0.0-beta.2 or later, which corresponds to upstream commit 5a12f9be8314682c8713e569e330f11805d0a663 (https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663); see the GHSA advisory at https://github.com/getgrav/grav/security/advisories/GHSA-3446-6mgw-f79p for full details. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: disable SVG upload functionality or restrict uploads to authenticated users only; audit admin account access logs for suspicious activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Grav

View all
CVE-2025-66294 HIGH POC
8.8 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists

CVE-2025-66301 CRITICAL POC
9.6 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical

CVE-2025-50286 HIGH POC
8.1 Aug 06

A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plug

CVE-2021-47812 CRITICAL POC
9.8 Jan 16

GravCMS 1.10.7 allows unauthenticated remote attackers to write arbitrary YAML configuration files, leading to full serv

CVE-2025-66297 HIGH POC
8.8 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or e

CVE-2025-66299 HIGH POC
8.8 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (S

CVE-2025-66300 HIGH POC
8.5 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A low privilege user account with page editing privilege can

CVE-2026-44738 HIGH POC
7.7 May 11

Information disclosure in Grav CMS versions prior to 2.0.0-rc.2 allows authenticated users with admin.pages role to extr

CVE-2025-66298 HIGH POC
7.5 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, having a simple form on site can reveal the whole Grav config

CVE-2025-66302 MEDIUM POC
6.8 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A path traversal vulnerability has been identified in Grav CM

CVE-2025-66304 MEDIUM POC
6.2 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, users with read access on the user account management section

CVE-2025-65186 MEDIUM POC
6.1 Dec 02

Grav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page con

Share

EUVD-2026-38442 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy