File-Based Web Platform Vulnerability in Grav by GetGrav
CVE-2026-55885

6.8MEDIUM

Key Information:

Vendor

Getgrav

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-55885?

Grav, a popular file-based web platform, contains a security flaw that allows authenticated administrators with backup permissions to download a ZIP archive of the complete Grav installation. This archive may include sensitive files such as 'user/accounts/admin.yaml', which contains the administrator's password hash, and 'user/config', which holds site configuration data. This vulnerability is initiated through a backup download endpoint, accessible solely via the session-static admin-nonce URL parameter. The issue was resolved in version 1.7.53, highlighting the need for users to upgrade to safeguard administration credentials and configurations.

Affected Version(s)

grav < 1.7.53

References

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.