CVE-2026-29924
Received Received - Intake
XXE Vulnerability in Grav CMS SVG Upload Enables Data Exposure

Publication date: 2026-03-30

Last updated on: 2026-04-06

Assigner: MITRE

Description
Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload functionality in the admin panel and File Manager plugin.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-06
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29924
EUVD
EUVD-2026-17148
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
getgrav grav to 1.8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Grav CMS version 1.7.x and earlier contains a vulnerability known as XML External Entity (XXE) that can be exploited through the SVG file upload feature available in the admin panel and the File Manager plugin.

Impact Analysis

This vulnerability allows an attacker to exploit XML External Entity (XXE) processing through the SVG file upload functionality in the admin panel and File Manager plugin of Grav CMS v1.7.x and earlier.

The impact includes potential unauthorized disclosure of sensitive information (high confidentiality impact), partial modification of data (low integrity impact), and partial disruption of service (low availability impact).

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29924. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart