Main Vulnerability Database Vulnerabilities #VU130087

XML External Entity injection in Grav CMS - #VU130087

Published: May 5, 2026

Vulnerability identifier: #VU130087

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-611

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Grav CMS

Affected software:
Grav CMS

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper restriction of xml external entity reference in SVG file upload and processing when parsing uploaded SVG files. A remote user can upload a specially crafted SVG file to disclose sensitive information.

The issue can be reached through the admin panel, including the Pages media workflow or the File Manager plugin.

Remediation

Install security update from vendor's website.

Sources

https://github.com/getgrav/grav/security/advisories/GHSA-3446-6mgw-f79p
https://github.com/getgrav/grav/commit/5a12f9be8

XML External Entity injection in Grav CMS - #VU130087

Detailed vulnerability description

Remediation

Sources

Please verify you're human