Information Disclosure in Grav Admin2 Plugin by Grav
CVE-2026-61454

8.7HIGH

Key Information:

Vendor

Getgrav

Status
Vendor
CVE Published:
11 July 2026

What is CVE-2026-61454?

The Grav Admin2 plugin prior to version 2.0.4 introduces a vulnerability by embedding a global JavaScript variable, window.GRAV_CONFIG, in the Admin2 Single Page Application (SPA) bootstrap page. This variable is present in every response to unauthenticated users, inadvertently revealing sensitive information about the server configuration. It exposes details such as the server URL, API prefix, admin base path, runtime environment, and precise version identifiers for both Grav and the Admin2 plugin. This can enable unauthorized attackers to identify specific vulnerabilities in the application without needing to carry out additional reconnaissance.

Affected Version(s)

grav 0 < 2.0.4

grav 2.0.4

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

nicl4ssic
.