CVE-2026-61455
Received Received - Intake

Grav CMS Decompression Bomb Vulnerability

Vulnerability report for CVE-2026-61455, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

Grav before 2.0.1 contains a decompression bomb vulnerability in ZipArchiver::extract() that lacks limits on uncompressed size, file count, and nesting depth. Attackers can supply a crafted ZIP archive that expands to fill available disk space, causing denial of service by exhausting storage resources.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
getgrav grav to 2.0.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-61455 is a decompression bomb vulnerability in Grav CMS versions before 2.0.1. It exists in the ZipArchiver::extract() method, which does not impose limits on the uncompressed size, number of files, or nesting depth when extracting ZIP archives.

An attacker can craft a small ZIP file that, when extracted, expands massively (for example, a 42 KB ZIP expanding to 10 GB), potentially filling up all available disk space.

This can cause a denial of service (DoS) by exhausting storage resources on the affected system.

The vulnerability arises because unlike the Installer::unZip() method, ZipArchiver::extract() lacks protections against such decompression bombs.

Compliance Impact

The vulnerability causes a denial-of-service condition by exhausting disk space through decompression bombs, impacting system availability.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, denial of service and resource exhaustion could indirectly affect compliance by disrupting availability requirements in these regulations.

However, there is no direct information provided about how this vulnerability specifically impacts compliance with such standards.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause a denial of service on your system.

By supplying a specially crafted ZIP archive, an attacker can cause your system to run out of disk space during extraction, potentially disrupting services or applications relying on Grav CMS.

This exhaustion of storage resources can lead to system instability, crashes, or inability to store new data until the disk space is freed.

Detection Guidance

This vulnerability involves a decompression bomb in ZIP archives that can cause denial of service by exhausting disk space when extracted. Detection involves monitoring for unusually large disk usage spikes or extraction of suspicious ZIP files that expand disproportionately compared to their compressed size.

Since the vulnerability is triggered by extraction of crafted ZIP files, you can detect potential exploitation attempts by checking for large ZIP files or monitoring extraction operations.

  • Use disk usage monitoring commands such as 'df -h' or 'du -sh' on directories where ZIP files are extracted to detect sudden large disk consumption.
  • List recently extracted files and their sizes with commands like 'ls -lh' or 'find /path/to/extract -type f -exec ls -lh {} +' to identify unexpectedly large extracted content.
  • Check for ZIP files with suspicious compression ratios using tools like 'zipinfo' or '7z l' to analyze archive contents before extraction.
  • Monitor application logs or plugin logs that use ZipArchiver::extract() for unusual extraction errors or warnings.
Mitigation Strategies

The primary mitigation is to apply the same archive limits validation used in the safe Installer::unZip() method to the ZipArchiver::extract() method. This includes enforcing limits on uncompressed size, file count, and nesting depth during ZIP extraction.

Since the vulnerable code path is not used by first-party Grav code but may be triggered by third-party plugins or custom code, review and update any plugins or custom code that use ZipArchiver::extract() to include these protections.

Additionally, monitor and restrict the size and content of ZIP files accepted by your system to prevent decompression bombs.

If available, update Grav CMS and any related plugins to versions that include the fix for this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-61455. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart