Decompression Bomb Vulnerability in Grav: Issues with ZipArchiver and GPM Installer
CVE-2026-61449

7.1HIGH

Key Information:

Vendor

Getgrav

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-61449?

Grav 2.0.1 is susceptible to a decompression bomb vulnerability originating from a size-cap bypass in its ZipArchiver and GPM Installer components. The flaw occurs when the uncompressed sizes declared in each entry's ZIP central-directory header are not properly verified against the actual size during extraction. This oversight allows attackers to craft malicious ZIP archives that declare significantly smaller sizes, enabling a payload that exceeds the defined size cap to be extracted, potentially filling disk storage or exhausting inodes. The vulnerability relies on the trust of the package source or admin upload, and users are advised to upgrade to Grav 2.0.2, although this update may not fully address the underlying issues as highlighted in GitHub Security Advisory GHSA-928x-9mpw-8h56.

Affected Version(s)

grav 0 < 2.0.2

grav 2.0.2

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

iliaal
.