Description
Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload functionality in the admin panel and File Manager plugin.
Published: 2026-03-30
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality breach
Action: Upgrade
AI Analysis

Impact

The vulnerability is an XML External Entity (XXE) flaw that is triggered when an SVG file is uploaded through the Grav CMS admin panel or its File Manager plugin. XXE flaws permit an attacker to instruct the server to read arbitrary files from the filesystem or to send requests to internal or external hosts. The description does not confirm that code execution is possible, but the flaw can expose sensitive data on the server. This vulnerability is categorized as CWE-611, indicating that attacker-provided external entities are processed by the XML parser.

Affected Systems

Grav CMS versions 1.7.x and earlier are affected. The flaw is present in the default SVG upload handling in the admin interface and the File Manager plugin of these releases.

Risk and Exploitability

The CVSS base score of 7.6 indicates a high severity, and the EPSS score of less than 1% suggests that exploitation attempts are currently rare. Because the flaw is accessed through the web‑based admin interface, an attacker would need authenticated or privileged access to upload a crafted SVG file. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via the web interface, requiring that the attacker has permissions to use the admin panel or the File Manager plugin.

Generated by OpenCVE AI on April 6, 2026 at 19:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Grav CMS to a version newer than 1.7.x
  • If an upgrade is not possible, disable SVG uploads or remove the File Manager plugin from the admin area
  • Restrict access to the admin panel to trusted authenticated users and consider IP whitelisting
  • Validate and sanitize uploaded files to eliminate XML entities

Generated by OpenCVE AI on April 6, 2026 at 19:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://github.com/getgrav/grav cve-icon cve-icon
History

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title XML External Entity Vulnerability in Grav CMS via SVG Upload

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Getgrav grav
CPEs cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*
Vendors & Products Getgrav grav

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title XML External Entity Vulnerability in Grav CMS SVG Upload XML External Entity Vulnerability in Grav CMS via SVG Upload
First Time appeared Getgrav
Getgrav grav Cms
Vendors & Products Getgrav
Getgrav grav Cms

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title XML External Entity Vulnerability in Grav CMS SVG Upload

Mon, 30 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-611
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload functionality in the admin panel and File Manager plugin.
References

Subscriptions

Getgrav Grav Grav Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-30T19:20:28.827Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29924

cve-icon Vulnrichment

Updated: 2026-03-30T19:18:47.139Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T19:16:24.470

Modified: 2026-04-06T15:58:27.763

Link: CVE-2026-29924

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:41Z

Weaknesses