Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: grav

Found 13 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2020-37256
5.1 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Passive (P)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): Low (L)
  • Subsequent System Impact Integrity (SI): Low (L)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Passive (P)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Low (L)
  • Modified Subsequent System Impact Integrity (MSI): Low (L)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 1 day, 10 hours ago Activity log
  • Created suggestion 1 day, 10 hours ago
Grav - Cross-Site Scripting in Admin Plugin Page Editor

Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Privileged users with page editing capabilities can inject malicious scripts to execute arbitrary code and install malicious plugins for system access.

Affected products

Grav
  • <1.6.30
  • ==1.6.30

Matching in nixpkgs

pkgs.grav

Fast, simple, and flexible, file-based web platform

pkgs.gravit

Beautiful OpenGL-based gravity simulator

pkgs.antigravity

Agentic development platform, evolving the IDE into the agent-first era

pkgs.antigravity-cli

Google's Go-based terminal user interface (TUI) agent client

pkgs.antigravity-fhs

Wrapped variant of antigravity which launches in a FHS compatible environment, should allow for easy usage of extensions without nix-specific modifications

pkgs.gnomeExtensions.gravatar

Synchronize GNOME Shell user icon with an avatar service, one of Gravatar or Libravatar.

  • nixos-unstable 10
    • nixpkgs-unstable 10
    • nixos-unstable-small 10
  • nixos-26.05 10
    • nixos-26.05-small 10
    • nixpkgs-26.05-darwin 10

Package maintainers

Published
Permalink CVE-2026-56701
7.1 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 3 days ago by @LeSuisse Activity log
  • Created suggestion 3 days, 10 hours ago
  • @LeSuisse ignored
    21 packages
    • gravit
    • antigravity
    • antigravity-cli
    • antigravity-fhs
    • stardust-xr-gravity
    • kdePackages.libgravatar
    • gnomeExtensions.gravatar
    • haskellPackages.gravatar
    • python312Packages.libgravatar
    • python313Packages.libgravatar
    • python314Packages.libgravatar
    • python312Packages.flask-gravatar
    • python313Packages.flask-gravatar
    • python314Packages.flask-gravatar
    • python312Packages.django-gravatar2
    • python313Packages.django-gravatar2
    • python314Packages.django-gravatar2
    • perlPackages.MojoliciousPluginGravatar
    • perl5Packages.MojoliciousPluginGravatar
    • perl538Packages.MojoliciousPluginGravatar
    • perl540Packages.MojoliciousPluginGravatar
    3 days, 1 hour ago
  • @LeSuisse accepted 3 days, 1 hour ago
  • @LeSuisse published on GitHub 3 days ago
Grav - XML External Entity Injection via SVG Upload

Grav before 2.0.0-beta.2 contains an XML external entity injection vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexml_load_string without disabling external entity loading, enabling attackers to inject XXE payloads via malicious SVG files to exfiltrate sensitive data.

Affected products

Grav
  • ==2.0.0-beta.2
  • <2.0.0-beta.2

Matching in nixpkgs

pkgs.grav

Fast, simple, and flexible, file-based web platform

Ignored packages (21)

pkgs.gravit

Beautiful OpenGL-based gravity simulator

pkgs.antigravity

Agentic development platform, evolving the IDE into the agent-first era

pkgs.antigravity-cli

Google's Go-based terminal user interface (TUI) agent client

  • nixos-unstable -
    • nixpkgs-unstable 1.0.7
    • nixos-unstable-small 1.0.7

pkgs.antigravity-fhs

Wrapped variant of antigravity which launches in a FHS compatible environment, should allow for easy usage of extensions without nix-specific modifications

pkgs.gnomeExtensions.gravatar

Synchronize GNOME Shell user icon with an avatar service, one of Gravatar or Libravatar.

  • nixos-unstable 10
    • nixpkgs-unstable 10
    • nixos-unstable-small 10
  • nixos-26.05 10
    • nixos-26.05-small 10
    • nixpkgs-26.05-darwin 10

Package maintainers

Published
Permalink CVE-2026-42844
8.7 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 2 weeks ago
  • @LeSuisse ignored
    20 packages
    • gravit
    • antigravity
    • antigravity-fhs
    • stardust-xr-gravity
    • kdePackages.libgravatar
    • gnomeExtensions.gravatar
    • haskellPackages.gravatar
    • python312Packages.libgravatar
    • python313Packages.libgravatar
    • python314Packages.libgravatar
    • python312Packages.flask-gravatar
    • python313Packages.flask-gravatar
    • python314Packages.flask-gravatar
    • python312Packages.django-gravatar2
    • python313Packages.django-gravatar2
    • python314Packages.django-gravatar2
    • perlPackages.MojoliciousPluginGravatar
    • perl5Packages.MojoliciousPluginGravatar
    • perl538Packages.MojoliciousPluginGravatar
    • perl540Packages.MojoliciousPluginGravatar
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago
Grav: Low-privileged API users can create super-admin accounts via blueprint-upload

Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges. This results in full administrative compromise of the Grav API. This vulnerability is fixed in API 1.0.0-beta.17.

Affected products

grav
  • ==2.0.0-beta.2

Matching in nixpkgs

pkgs.grav

Fast, simple, and flexible, file-based web platform

Ignored packages (20)

pkgs.gravit

Beautiful OpenGL-based gravity simulator

pkgs.antigravity

Agentic development platform, evolving the IDE into the agent-first era

pkgs.antigravity-fhs

Wrapped variant of antigravity which launches in a FHS compatible environment, should allow for easy usage of extensions without nix-specific modifications

pkgs.gnomeExtensions.gravatar

Synchronize GNOME Shell user icon with an avatar service, one of Gravatar or Libravatar.

  • nixos-unstable 9
    • nixpkgs-unstable 9
    • nixos-unstable-small 9

Package maintainers

Published
Permalink CVE-2026-42608
8.8 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 2 weeks ago
  • @LeSuisse ignored
    20 packages
    • gravit
    • antigravity
    • antigravity-fhs
    • stardust-xr-gravity
    • kdePackages.libgravatar
    • gnomeExtensions.gravatar
    • haskellPackages.gravatar
    • python312Packages.libgravatar
    • python313Packages.libgravatar
    • python314Packages.libgravatar
    • python312Packages.flask-gravatar
    • python313Packages.flask-gravatar
    • python314Packages.flask-gravatar
    • python312Packages.django-gravatar2
    • python313Packages.django-gravatar2
    • python314Packages.django-gravatar2
    • perlPackages.MojoliciousPluginGravatar
    • perl5Packages.MojoliciousPluginGravatar
    • perl538Packages.MojoliciousPluginGravatar
    • perl540Packages.MojoliciousPluginGravatar
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago
Grav: Unauthenticated Path Traversal & Arbitrary File Write in FormFlash component.

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POST requests), an unauthenticated attacker can traverse the filesystem to create arbitrary directories and write an index.yaml file containing attacker-controlled data. This vulnerability can lead to unauthorized modification of application behavior, potential data integrity issues, and service disruption in production environments. This vulnerability is fixed in 2.0.0-beta.2.

Affected products

grav
  • ==< 2.0.0-beta.2

Matching in nixpkgs

pkgs.grav

Fast, simple, and flexible, file-based web platform

Ignored packages (20)

pkgs.gravit

Beautiful OpenGL-based gravity simulator

pkgs.antigravity

Agentic development platform, evolving the IDE into the agent-first era

pkgs.antigravity-fhs

Wrapped variant of antigravity which launches in a FHS compatible environment, should allow for easy usage of extensions without nix-specific modifications

pkgs.gnomeExtensions.gravatar

Synchronize GNOME Shell user icon with an avatar service, one of Gravatar or Libravatar.

  • nixos-unstable 9
    • nixpkgs-unstable 9
    • nixos-unstable-small 9

Package maintainers

Patch: https://github.com/getgrav/grav/commit/d904efc33e03ebb597afde8d3368b28cf0423632
Published
Permalink CVE-2026-42841
6.9 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): Passive (P)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): High (H)
  • Subsequent System Impact Integrity (SI): Low (L)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): Passive (P)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): High (H)
  • Modified Subsequent System Impact Integrity (MSI): Low (L)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 2 weeks ago
  • @LeSuisse ignored
    20 packages
    • gravit
    • antigravity
    • antigravity-fhs
    • stardust-xr-gravity
    • kdePackages.libgravatar
    • gnomeExtensions.gravatar
    • haskellPackages.gravatar
    • python312Packages.libgravatar
    • python313Packages.libgravatar
    • python314Packages.libgravatar
    • python312Packages.flask-gravatar
    • python313Packages.flask-gravatar
    • python314Packages.flask-gravatar
    • python312Packages.django-gravatar2
    • python313Packages.django-gravatar2
    • python314Packages.django-gravatar2
    • perlPackages.MojoliciousPluginGravatar
    • perl5Packages.MojoliciousPluginGravatar
    • perl538Packages.MojoliciousPluginGravatar
    • perl540Packages.MojoliciousPluginGravatar
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago
Grav: Stored XSS via Markdown media attribute() action in Grav CMS

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image query parameters being converted into callable media actions. The public attribute() media method can be reached this way, allowing an editor to set an arbitrary HTML attribute name and value on the generated image element. This vulnerability is fixed in 2.0.0-beta.2.

Affected products

grav
  • ==< 2.0.0-beta.2

Matching in nixpkgs

pkgs.grav

Fast, simple, and flexible, file-based web platform

Ignored packages (20)

pkgs.gravit

Beautiful OpenGL-based gravity simulator

pkgs.antigravity

Agentic development platform, evolving the IDE into the agent-first era

pkgs.antigravity-fhs

Wrapped variant of antigravity which launches in a FHS compatible environment, should allow for easy usage of extensions without nix-specific modifications

pkgs.gnomeExtensions.gravatar

Synchronize GNOME Shell user icon with an avatar service, one of Gravatar or Libravatar.

  • nixos-unstable 9
    • nixpkgs-unstable 9
    • nixos-unstable-small 9

Package maintainers

Published
Permalink CVE-2026-42609
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 2 weeks ago
  • @LeSuisse ignored
    20 packages
    • gravit
    • antigravity
    • antigravity-fhs
    • stardust-xr-gravity
    • kdePackages.libgravatar
    • gnomeExtensions.gravatar
    • haskellPackages.gravatar
    • python312Packages.libgravatar
    • python313Packages.libgravatar
    • python314Packages.libgravatar
    • python312Packages.flask-gravatar
    • python313Packages.flask-gravatar
    • python314Packages.flask-gravatar
    • python312Packages.django-gravatar2
    • python313Packages.django-gravatar2
    • python314Packages.django-gravatar2
    • perlPackages.MojoliciousPluginGravatar
    • perl5Packages.MojoliciousPluginGravatar
    • perl538Packages.MojoliciousPluginGravatar
    • perl540Packages.MojoliciousPluginGravatar
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago
Grav: Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account's metadata and permissions instead of rejecting the request. This leads to a Denial of Service (DoS) on administrative functions and Privilege De-escalation of the root account. This vulnerability is fixed in 2.0.0-beta.2.

Affected products

grav
  • ==< 2.0.0-beta.2

Matching in nixpkgs

pkgs.grav

Fast, simple, and flexible, file-based web platform

Ignored packages (20)

pkgs.gravit

Beautiful OpenGL-based gravity simulator

pkgs.antigravity

Agentic development platform, evolving the IDE into the agent-first era

pkgs.antigravity-fhs

Wrapped variant of antigravity which launches in a FHS compatible environment, should allow for easy usage of extensions without nix-specific modifications

pkgs.gnomeExtensions.gravatar

Synchronize GNOME Shell user icon with an avatar service, one of Gravatar or Libravatar.

  • nixos-unstable 9
    • nixpkgs-unstable 9
    • nixos-unstable-small 9

Package maintainers

Published
Permalink CVE-2026-42607
9.1 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 2 weeks ago
  • @LeSuisse ignored
    20 packages
    • gravit
    • antigravity
    • antigravity-fhs
    • stardust-xr-gravity
    • kdePackages.libgravatar
    • gnomeExtensions.gravatar
    • haskellPackages.gravatar
    • python312Packages.libgravatar
    • python313Packages.libgravatar
    • python314Packages.libgravatar
    • python312Packages.flask-gravatar
    • python313Packages.flask-gravatar
    • python314Packages.flask-gravatar
    • python312Packages.django-gravatar2
    • python313Packages.django-gravatar2
    • python314Packages.django-gravatar2
    • perlPackages.MojoliciousPluginGravatar
    • perl5Packages.MojoliciousPluginGravatar
    • perl538Packages.MojoliciousPluginGravatar
    • perl540Packages.MojoliciousPluginGravatar
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago
Grav: Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the "Direct Install" tool. While the system attempts to block direct .php file uploads, it fails to inspect the contents of uploaded ZIP archives. Once a malicious plugin is extracted, it can execute arbitrary PHP code or drop a persistent web shell on the server. This vulnerability is fixed in 2.0.0-beta.2.

Affected products

grav
  • ==< 2.0.0-beta.2

Matching in nixpkgs

pkgs.grav

Fast, simple, and flexible, file-based web platform

Ignored packages (20)

pkgs.gravit

Beautiful OpenGL-based gravity simulator

pkgs.antigravity

Agentic development platform, evolving the IDE into the agent-first era

pkgs.antigravity-fhs

Wrapped variant of antigravity which launches in a FHS compatible environment, should allow for easy usage of extensions without nix-specific modifications

pkgs.gnomeExtensions.gravatar

Synchronize GNOME Shell user icon with an avatar service, one of Gravatar or Libravatar.

  • nixos-unstable 9
    • nixpkgs-unstable 9
    • nixos-unstable-small 9

Package maintainers

Published
Permalink CVE-2026-44738
7.7 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 2 weeks ago
  • @LeSuisse ignored
    20 packages
    • gravit
    • antigravity
    • antigravity-fhs
    • stardust-xr-gravity
    • kdePackages.libgravatar
    • gnomeExtensions.gravatar
    • haskellPackages.gravatar
    • python312Packages.libgravatar
    • python313Packages.libgravatar
    • python314Packages.libgravatar
    • python312Packages.flask-gravatar
    • python313Packages.flask-gravatar
    • python314Packages.flask-gravatar
    • python312Packages.django-gravatar2
    • python313Packages.django-gravatar2
    • python314Packages.django-gravatar2
    • perlPackages.MojoliciousPluginGravatar
    • perl5Packages.MojoliciousPluginGravatar
    • perl538Packages.MojoliciousPluginGravatar
    • perl540Packages.MojoliciousPluginGravatar
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago
Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()

Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray() from within a page body, dumping the entire merged site configuration — including all plugin secrets (SMTP passwords, AWS keys, OAuth client secrets, API tokens) — into the rendered HTML. No administrator privileges are required. This vulnerability is fixed in 2.0.0-rc.2.

Affected products

grav
  • ==< 2.0.0-rc.2

Matching in nixpkgs

pkgs.grav

Fast, simple, and flexible, file-based web platform

Ignored packages (20)

pkgs.gravit

Beautiful OpenGL-based gravity simulator

pkgs.antigravity

Agentic development platform, evolving the IDE into the agent-first era

pkgs.antigravity-fhs

Wrapped variant of antigravity which launches in a FHS compatible environment, should allow for easy usage of extensions without nix-specific modifications

pkgs.gnomeExtensions.gravatar

Synchronize GNOME Shell user icon with an avatar service, one of Gravatar or Libravatar.

  • nixos-unstable 9
    • nixpkgs-unstable 9
    • nixos-unstable-small 9

Package maintainers

Published
Permalink CVE-2026-42842
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 2 weeks ago
  • @LeSuisse ignored
    20 packages
    • gravit
    • antigravity
    • antigravity-fhs
    • stardust-xr-gravity
    • kdePackages.libgravatar
    • gnomeExtensions.gravatar
    • haskellPackages.gravatar
    • python312Packages.libgravatar
    • python313Packages.libgravatar
    • python314Packages.libgravatar
    • python312Packages.flask-gravatar
    • python313Packages.flask-gravatar
    • python314Packages.flask-gravatar
    • python312Packages.django-gravatar2
    • python313Packages.django-gravatar2
    • python314Packages.django-gravatar2
    • perlPackages.MojoliciousPluginGravatar
    • perl5Packages.MojoliciousPluginGravatar
    • perl538Packages.MojoliciousPluginGravatar
    • perl540Packages.MojoliciousPluginGravatar
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago
grav-plugin-form: XSS via Taxonomy Field Values in Admin Panel

The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing the global autoescape protection. An editor-level user can inject arbitrary JavaScript that executes in any administrator's browser session when they view or edit any page in the admin panel. This vulnerability is fixed in 9.1.0.

Affected products

grav
  • ==< 2.0.0-beta.2
grav-plugin-form
  • ==< 9.1.0

Matching in nixpkgs

pkgs.grav

Fast, simple, and flexible, file-based web platform

Ignored packages (20)

pkgs.gravit

Beautiful OpenGL-based gravity simulator

pkgs.antigravity

Agentic development platform, evolving the IDE into the agent-first era

pkgs.antigravity-fhs

Wrapped variant of antigravity which launches in a FHS compatible environment, should allow for easy usage of extensions without nix-specific modifications

pkgs.gnomeExtensions.gravatar

Synchronize GNOME Shell user icon with an avatar service, one of Gravatar or Libravatar.

  • nixos-unstable 9
    • nixpkgs-unstable 9
    • nixos-unstable-small 9

Package maintainers

Published
Permalink CVE-2026-42613
9.4 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 2 weeks ago
  • @LeSuisse ignored
    20 packages
    • gravit
    • antigravity
    • antigravity-fhs
    • stardust-xr-gravity
    • kdePackages.libgravatar
    • gnomeExtensions.gravatar
    • haskellPackages.gravatar
    • python312Packages.libgravatar
    • python313Packages.libgravatar
    • python314Packages.libgravatar
    • python312Packages.flask-gravatar
    • python313Packages.flask-gravatar
    • python314Packages.flask-gravatar
    • python312Packages.django-gravatar2
    • python313Packages.django-gravatar2
    • python314Packages.django-gravatar2
    • perlPackages.MojoliciousPluginGravatar
    • perl5Packages.MojoliciousPluginGravatar
    • perl538Packages.MojoliciousPluginGravatar
    • perl540Packages.MojoliciousPluginGravatar
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago
Grav: Privilege Escalation via Missing Server-Side Validation of groups/access

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, the Login::register() method in the Login plugin accepts attacker-controlled groups and access fields from the registration POST data without server-side validation. When registration is enabled and groups or access are included in the configured allowed fields list, an unauthenticated user can self-register with admin.super privileges by injecting these fields into the registration request. This vulnerability is fixed in 2.0.0-beta.2.

Affected products

grav
  • ==< 2.0.0-beta.2

Matching in nixpkgs

pkgs.grav

Fast, simple, and flexible, file-based web platform

Ignored packages (20)

pkgs.gravit

Beautiful OpenGL-based gravity simulator

pkgs.antigravity

Agentic development platform, evolving the IDE into the agent-first era

pkgs.antigravity-fhs

Wrapped variant of antigravity which launches in a FHS compatible environment, should allow for easy usage of extensions without nix-specific modifications

pkgs.gnomeExtensions.gravatar

Synchronize GNOME Shell user icon with an avatar service, one of Gravatar or Libravatar.

  • nixos-unstable 9
    • nixpkgs-unstable 9
    • nixos-unstable-small 9

Package maintainers