CVE-2026-29924
XXE Vulnerability in Grav CMS SVG Upload Enables Data Exposure
Publication date: 2026-03-30
Last updated on: 2026-04-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getgrav | grav | to 1.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
Grav CMS version 1.7.x and earlier contains a vulnerability known as XML External Entity (XXE) that can be exploited through the SVG file upload feature available in the admin panel and the File Manager plugin.
How can this vulnerability impact me? :
This vulnerability allows an attacker to exploit XML External Entity (XXE) processing through the SVG file upload functionality in the admin panel and File Manager plugin of Grav CMS v1.7.x and earlier.
The impact includes potential unauthorized disclosure of sensitive information (high confidentiality impact), partial modification of data (low integrity impact), and partial disruption of service (low availability impact).