CVE-2026-29924
Received Received - Intake

XXE Vulnerability in Grav CMS SVG Upload Enables Data Exposure

Vulnerability report for CVE-2026-29924, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-30

Last updated on: 2026-04-06

Assigner: MITRE

Description

Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload functionality in the admin panel and File Manager plugin.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-30
Last Modified
2026-04-06
Generated
2026-07-06
AI Q&A
2026-03-30
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
getgrav grav to 1.8.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Grav CMS version 1.7.x and earlier contains a vulnerability known as XML External Entity (XXE) that can be exploited through the SVG file upload feature available in the admin panel and the File Manager plugin.

Impact Analysis

This vulnerability allows an attacker to exploit XML External Entity (XXE) processing through the SVG file upload functionality in the admin panel and File Manager plugin of Grav CMS v1.7.x and earlier.

The impact includes potential unauthorized disclosure of sensitive information (high confidentiality impact), partial modification of data (low integrity impact), and partial disruption of service (low availability impact).

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29924. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart