Decompression Bomb Vulnerability in Grav by GetGrav
CVE-2026-61455

7.1HIGH

Key Information:

Vendor

Getgrav

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-61455?

Grav versions prior to 2.0.1 are susceptible to a decompression bomb vulnerability within the ZipArchiver::extract() function. This vulnerability allows attackers to create a specially crafted ZIP archive that expands excessively, consuming all available disk space. The absence of restrictions on uncompressed size, file count, and nesting depth can lead to significant disruptions, effectively causing a denial of service by exhausting storage resources on the affected system. It is crucial for users to apply the necessary updates to mitigate this risk.

Affected Version(s)

grav 0 < 2.0.1

grav 2.0.1

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

alienkeric
.