CVE-2026-61449
Received Received - Intake

Decompression Bomb Bypass in Grav CMS

Vulnerability report for CVE-2026-61449, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: VulnCheck

Description

Grav 2.0.1 contains a decompression-bomb size-cap bypass in ZipArchiver and GPM\Installer. The size bound introduced in 2.0.1 sums the uncompressed size declared in each entry's ZIP central-directory header (ZipArchive::statIndex()['size']) and rejects archives exceeding system.gpm.archive.max_uncompressed_size before extraction. Because this declared size is attacker-forgeable and is not cross-checked against the actual inflated stream, a crafted archive declaring tiny per-entry sizes passes the cap while extractTo() writes the real, much larger content, filling disk or exhausting inodes. The archive must be supplied by a package source or admin upload (admin/operator trust). Fixed in 2.0.2. This is an incomplete fix for GHSA-928x-9mpw-8h56.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 7 associated CPEs
Vendor Product Version / Range
getgrav grav to 2.0.2 (exc)
getgrav grav 2.0.2
getgrav ziparchiver *
getgrav installer *
grav grav to 2.0.2 (exc)
ziparchiver ziparchiver to 2.0.2 (exc)
gpm installer to 2.0.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-61449 is a decompression-bomb size-cap bypass in Grav 2.0.1. It affects ZipArchiver and GPM Installer components. The vulnerability allows attackers to bypass size limits by forging small uncompressed sizes in ZIP archive headers while extracting much larger files, potentially filling disk space or exhausting inodes.

Impact Analysis

This vulnerability can lead to denial-of-service by filling up disk space or exhausting inodes on the system where Grav is installed. It requires an attacker to provide a malicious ZIP archive via a package source or admin upload, meaning admin or operator trust is needed.

Detection Guidance

To detect this vulnerability, monitor disk usage during ZIP archive extraction processes, especially in Grav installations. Check for unusually large files or directories appearing after admin uploads or package installations. Review logs for failed extractions or disk space exhaustion events.

Mitigation Strategies

Immediately upgrade Grav to version 2.0.2 or later to address the vulnerability. If upgrading is not possible, disable ZIP archive extraction features in Grav or restrict admin uploads to trusted sources only. Monitor disk space and inode usage closely during extraction operations.

Executive Summary

CVE-2026-61449 is a decompression-bomb size-cap bypass in Grav 2.0.1. It affects ZipArchiver and GPM\Installer components. The vulnerability allows an attacker to bypass size limits by forging small uncompressed sizes in ZIP archive headers while extracting much larger files. This can fill disk space or exhaust inodes.

Impact Analysis

This vulnerability can lead to denial-of-service by filling up disk space or exhausting inodes on the system. It requires an attacker to provide a malicious ZIP archive via a package source or admin upload, meaning admin or operator trust is needed.

Detection Guidance

Monitor disk space usage and inode exhaustion during ZIP archive extraction processes. Check Grav logs for failed or unusually large extraction attempts. Inspect ZIP archives for mismatched declared and actual sizes using tools like 'zipinfo' or 'unzip -l' to compare central directory sizes with extracted content.

Mitigation Strategies

Upgrade Grav to version 2.0.2 or later immediately. Disable admin uploads of ZIP archives if not required. Implement additional validation for ZIP archives by verifying actual extracted sizes against declared sizes. Monitor disk space and inode usage closely during archive operations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-61449. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart