CVE-2021-47812

Critical CVSS: 9.3

GravCMS 1.10.7 contains an unauthenticated vulnerability that allows remote attackers to write arbitrary YAML configuration and execute PHP code through the scheduler endpoint. Attackers can exploit the admin-nonce parameter to inject base64-encoded payloads and create malicious custom jobs with system command execution.

Vendor

Getgrav

Product

Grav

CWE

CWE-862

Yayın Tarihi

2026-01-16 00:16:26

Güncelleme

2026-02-02 16:16:15

Source Identifier

disclosure@vulncheck.com

KEV Date Added

Kategoriler

CWE-862 Grav CRITICAL Getgrav 2026

Referanslar

https://getgrav.org https://www.exploit-db.com/exploits/49973 https://www.vulncheck.com/advisories/gravcms-arbitrary-yaml-writeupdate-unauthenticated https://www.exploit-db.com/exploits/49973

Benzer Kayıtlar

High

CVE-2026-29924

Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload functionality in the a…

Medium

CVE-2025-66843

grav before v1.7.49.5 has a Stored Cross-Site Scripting (Stored XSS) vulnerability in the page editing functionality. An…

Critical

CVE-2025-66844

In grav

Medium

CVE-2025-65186

Grav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page con…

Medium

CVE-2025-66312

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create…

Medium

CVE-2025-66310

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create…