cvedb.io
CVE-2026-42611
HIGH · CVSS 8.9
EPSS exploitation probability: 0%
Published 2026-05-11T16:17:34.173 · Last modified 2026-06-17T10:48:11.327

Summary

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits the page; which can further be chained with the use of admin-nonce to do a complete server compromise (RCE). This vulnerability is fixed in 2.0.0-beta.2.

Affected products

getgrav — grav

Does this affect you?

Add your gear to cvedb and we'll alert you only when getgrav ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.