Decompression Bomb Vulnerability in Grav by GetGrav
CVE-2026-61455
7.1HIGH
What is CVE-2026-61455?
Grav versions prior to 2.0.1 are susceptible to a decompression bomb vulnerability within the ZipArchiver::extract() function. This vulnerability allows attackers to create a specially crafted ZIP archive that expands excessively, consuming all available disk space. The absence of restrictions on uncompressed size, file count, and nesting depth can lead to significant disruptions, effectively causing a denial of service by exhausting storage resources on the affected system. It is crucial for users to apply the necessary updates to mitigate this risk.
Affected Version(s)
grav 0 < 2.0.1
grav 2.0.1
