XML External Entity Vulnerability in Grav CMS by GetGrav
CVE-2026-29924

7.6HIGH

Key Information:

Vendor: GetGrav
Status: Grav CMS
Vendor: CVE Published:; 30 March 2026

What is CVE-2026-29924?

Grav CMS versions up to 1.7.x are susceptible to an XML External Entity (XXE) attack through the SVG file upload feature in the admin interface and the File Manager plugin. This vulnerability allows an attacker to exploit the upload functionality, potentially leading to exposure of sensitive data or other malicious actions. It is crucial for users of Grav CMS to ensure they are using updated versions to mitigate this risk.

References

https://github.com/getgrav/grav

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 30, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-29924 Data

JSON