Synced 18 Jun 2026 05:58 UTC Account
← All products

CVE-2026-29924

HIGH severity · CVSS 7.6 · XML external entity (XXE)
7.6CVSS HIGH

Summary

Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload functionality in the admin panel and File Manager plugin.

Impact & exploitability

Attack vectorNetwork
Attack complexityLow
Privileges requiredLow
User interactionNone
Confidentiality impactHigh
Integrity impactLow
Availability impactLow
Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Affected products we track (1)

Grav

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Additional information