Skip to main content
4 CVEs CRITICAL CVSS 9.1

Grav CMS Access Control and Injection Vulnerabilities

2026-07-17

CVE-2026-62232 CRITICAL PATCH

Two-factor authentication bypass in Grav CMS before 2.0.4 lets an attacker who already knows a victim's password overwrite that user's TOTP secret and log in with full 2FA protection stripped away. During the pending TOTP challenge window the login plugin's regenerate2FASecret task verifies only that the user exists — not that the caller is authorized — and requires no CSRF nonce, so the attacker sets an attacker-chosen secret, computes a valid code, and completes login. VulnCheck-reported and CVSS 4.0 scored 9.1; no public exploit identified at time of analysis.

9.1
CVSS
0.3%
EPSS
CVE-2026-62230 HIGH PATCH

Sensitive configuration file disclosure in Grav CMS before 2.0.4 lets unauthenticated remote attackers bypass the bundled .htaccess protections by requesting blocked file types with uppercase or mixed-case extensions (e.g., .YAML, .PHP). The shipped rules omit the Apache [NC] flag, so extension matching is case-sensitive and fails to block case variants on case-insensitive filesystems (Windows/NTFS, macOS/HFS+, Docker volume mounts), exposing files that may hold API keys and credentials. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

8.7
CVSS
0.3%
EPSS
CVE-2026-62234 HIGH PATCH

Server-side request forgery in Grav CMS before 2.0.4 allows authenticated users holding the api.webhooks.write permission to register webhooks with dangerous cURL protocol handlers (file://, dict://, gopher://) that fire when webhook events trigger. By abusing these unrestricted protocols an attacker can read local files, enumerate process and service information, and pivot to internal-only network services from the trust position of the Grav server. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; risk is driven by the CWE-918 primitive rather than confirmed in-the-wild activity.

8.4
CVSS
0.3%
EPSS
CVE-2026-62237 MEDIUM PATCH

ReDoS in Grav CMS's Twig sandbox allows an authenticated page editor to crash the web server process via a catastrophically backtracking PCRE pattern supplied to the `regex_replace` filter. Affected versions are all Grav releases prior to 2.0.4. Exploitation requires a non-default configuration (`security.twig_content.process_enabled: true`) and at least page-editor-level authentication, limiting blast radius to deployments that have deliberately unlocked Twig processing in page content. No public exploit code or CISA KEV listing has been identified at time of analysis.

6.0
CVSS
0.2%
EPSS

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy