Information Disclosure in Grav Admin2 Plugin by Grav
CVE-2026-61454
8.7HIGH
What is CVE-2026-61454?
The Grav Admin2 plugin prior to version 2.0.4 introduces a vulnerability by embedding a global JavaScript variable, window.GRAV_CONFIG, in the Admin2 Single Page Application (SPA) bootstrap page. This variable is present in every response to unauthenticated users, inadvertently revealing sensitive information about the server configuration. It exposes details such as the server URL, API prefix, admin base path, runtime environment, and precise version identifiers for both Grav and the Admin2 plugin. This can enable unauthorized attackers to identify specific vulnerabilities in the application without needing to carry out additional reconnaissance.
Affected Version(s)
grav 0 < 2.0.4
grav 2.0.4
