Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
UI:R required as victim must navigate; PR:N since attacker holds no account; C:N as no data is exposed; I:L and A:L for TOTP invalidation impact only.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
grav-plugin-login before 3.8.11 contains a cross-site request forgery (CSRF) vulnerability in the login.regenerate2FASecret frontend task, which regenerates and persists a new TOTP secret for the authenticated session user without any anti-CSRF nonce or Origin/Referer check. Because Grav core dispatches the task from the GET 'task:' URI parameter and the default session cookie is SameSite=Lax, an attacker can lure a logged-in victim to an off-site page that performs a top-level GET navigation, rotating the victim's TOTP secret so their enrolled authenticator no longer matches the server, effectively forcing 2FA re-enrollment. Sites configured with session.samesite: Strict are not affected.
AnalysisAI
CSRF in grav-plugin-login before 3.8.11 allows a remote unauthenticated attacker to rotate a logged-in victim's TOTP secret by luring them to an attacker-controlled page that performs a top-level GET navigation to the Grav site's regenerate2FASecret task endpoint. Because Grav dispatches frontend tasks via GET URI parameters and the default SameSite=Lax session cookie policy permits cross-origin top-level GET navigations to carry cookies, the victim's authenticator app is silently invalidated, forcing 2FA re-enrollment - though the attacker gains no account access. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The victim must be actively authenticated to the Grav site with a valid session cookie at the time of the attack. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 2.3 accurately reflects the bounded real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts a web page that automatically redirects visitors to a URL such as https://target-grav-site.com/?task=login.regenerate2FASecret via a standard HTML link or JavaScript window.location assignment. When a user who is currently logged in to the Grav site visits the attacker's page and triggers this top-level GET navigation, the browser attaches the victim's session cookie under the default SameSite=Lax policy, causing the Grav server to execute the TOTP secret rotation in the victim's authenticated session. … |
| Remediation | Upgrade grav-plugin-login to version 3.8.11 or later, which is the vendor-released patch confirmed by the security advisory at https://github.com/getgrav/grav/security/advisories/GHSA-4px8-7p53-282r. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical
A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plug
Grav is a file-based Web platform. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low a
GravCMS 1.10.7 allows unauthenticated remote attackers to write arbitrary YAML configuration files, leading to full serv
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or e
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (S
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45082
GHSA-f4c6-8fcq-j58x