Security Advisories - getgrav/grav - Packagist.org

getgrav/grav Security Advisories for 2.0.0-beta.3 (3)

[MEDIUM] Grav: Stored CSS injection via Markdown image ?style=… reaches MediaObjectTrait::style() — incomplete patch of GHSA-r7fx-8g49-7hhr

PKSA-p98m-jfx1-qxw4 CVE-2026-55890 GHSA-pmf8-g7c8-7v54

Affected version: <=2.0.0-rc.8

Reported by:
GitHub
[HIGH] Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()

PKSA-jw9z-qj9h-1drk CVE-2026-44738 GHSA-j274-39qw-32c9

Affected version: <=2.0.0-rc.1

Reported by:
GitHub
[HIGH] Low-privileged Grav API users can create super-admin accounts via blueprint-upload

PKSA-jtpz-17pm-t9v9 CVE-2026-42844 GHSA-6xx2-m8wv-756h

Affected version: <2.0.0-beta.4

Reported by:
GitHub