Description
Grav before 2.0.0-beta.2 contains an XML external entity injection vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexml_load_string without disabling external entity loading, enabling attackers to inject XXE payloads via malicious SVG files to exfiltrate sensitive data.
Published: 2026-06-23
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Grav versions prior to 2.0.0‑beta.2 process user uploaded SVG files using simplexml_load_string without disabling external entity loading. This flaw permits XML external entity (XXE) injection, allowing an attacker who has authenticated access to supply a crafted SVG file that references external entities. The attacker can cause the server to read arbitrary local files, exfiltrating sensitive content such as configuration data or credentials. The vulnerability is a classic XXE flaw, classified under CWE‑611 and poses a high confidentiality risk.

Affected Systems

The affected product is Grav, the popular flat‑file CMS. Vulnerable releases are all builds before 2.0.0‑beta.2. No specific patch rollout dates are listed, but any deployment of these pre‑beta versions is susceptible.

Risk and Exploitability

The CVSS base score of 7.1 indicates a high severity. The EPSS score is not available, but because the flaw requires authenticated access, only users who can log into the Grav back‑office can exploit it. The vulnerability is not listed in the CISA KEV catalog, suggesting no public exploit yet, yet the combination of a high CVSS and the formulaic exploitation path indicates a non‑negligible risk. Authentication is a prerequisite, so unauthenticated users cannot trigger the vulnerability, but once inside the admin zone the attacker can read any file available to the server process.

Generated by OpenCVE AI on June 23, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Grav to version 2.0.0‑beta.2 or later, which disables external entity loading in SVG processing
  • If a patch is unavailable, restrict the SVG upload feature to trusted administrators only and audit the uploads for external entity references
  • Configure the PHP setting "xml.load_external_entities" to "Off" to globally prevent XXE processing in all SimpleXML operations

Generated by OpenCVE AI on June 23, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Grav before 2.0.0-beta.2 contains an XML external entity injection vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexml_load_string without disabling external entity loading, enabling attackers to inject XXE payloads via malicious SVG files to exfiltrate sensitive data.
Title Grav - XML External Entity Injection via SVG Upload
First Time appeared Getgrav
Getgrav grav-plugin-admin
Weaknesses CWE-611
CPEs cpe:2.3:a:getgrav:grav-plugin-admin:*:*:*:*:*:*:*:*
Vendors & Products Getgrav
Getgrav grav-plugin-admin
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Getgrav Grav-plugin-admin
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T14:42:29.383Z

Reserved: 2026-06-22T17:09:16.556Z

Link: CVE-2026-56701

cve-icon Vulnrichment

Updated: 2026-06-23T14:42:21.697Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T13:30:03Z

Weaknesses
  • CWE-611

    Improper Restriction of XML External Entity Reference