GCVE - cpe:2.3:a:getgrav:grav_cms:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:getgrav:grav_cms:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Getgrav (`a335dd59-994b-520f-884a-04ce57f966e0`)
Product	Grav Cms (`2a54347c-c418-5094-ae32-50ea416319f6`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:github/getgrav/grav`	purl2cpe	2026-06-01 10:15:21.066983
`pkg:sourceforge/grav.mirror`	purl2cpe	2026-06-01 10:15:21.066986

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2020-29556`	vulnerable	2026-06-08 05:24:58.391768	Details available The Backup functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to read arbitrary local files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.) Published: 2021-03-15T17:58:17.000Z Updated: 2024-08-04T16:55:10.299Z Open on db.gcve.eu Reference links https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-29555`	vulnerable	2026-06-08 05:24:58.385697	Details available The BackupDelete functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to delete arbitrary files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.) Published: 2021-03-15T18:00:01.000Z Updated: 2024-08-04T16:55:10.524Z Open on db.gcve.eu Reference links https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-29553`	vulnerable	2026-06-08 05:24:58.367091	Details available The Scheduler in Grav CMS through 1.7.0-rc.17 allows an attacker to execute a system command by tricking an admin into visiting a malicious website (CSRF). Published: 2021-03-15T18:20:50.000Z Updated: 2024-08-04T16:55:10.462Z Open on db.gcve.eu Reference links https://blog.bssi.fr/cve-2020-29553-cve-2020-29555-cve-2020-29556-multiple-vulnerabilities-within-cms-grav/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2019-16126`	vulnerable	2026-06-08 05:13:07.762388	Details available Grav through 1.6.15 allows (Stored) Cross-Site Scripting due to JavaScript execution in SVG images. Published: 2019-09-09T01:01:23.000Z Updated: 2024-08-05T01:10:39.968Z Open on db.gcve.eu Reference links https://github.com/getgrav/grav/issues/2657	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2018-5233`	vulnerable	2026-06-08 05:11:50.475412	Details available Cross-site scripting (XSS) vulnerability in system/src/Grav/Common/Twig/Twig.php in Grav CMS before 1.3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/tools. Published: 2018-03-19T21:00:00.000Z Updated: 2024-08-05T05:33:42.799Z Open on db.gcve.eu Reference links https://sysdream.com/news/lab/2018-03-15-cve-2018-5233-grav-cms-admin-plugin-reflected-cross-site-scripting-xss-vulnerability/ http://www.openwall.com/lists/oss-security/2018/03/15/1	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.