CVE-2026-61454
8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
The Grav Admin2 plugin (getgrav/grav-plugin-admin2) before 2.0.4 embeds a global JavaScript variable window.GRAV_CONFIG in the Admin2 SPA bootstrap page at /grav/admin (and its subroutes). This object is returned in every unauthenticated response and discloses the server URL, API prefix, admin base path, runtime environment type, and exact Grav and Admin2 version numbers, allowing an unauthenticated attacker to fingerprint the deployment and select version-specific exploits without reconnaissance.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| getgrav | grav | 0 < 2.0.4 | affected |
| getgrav | grav | 2.0.4 | unaffected |
Weaknesses
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
References
- https://github.com/getgrav/grav/security/advisories/GHSA-pfjq-chp8-3vgh
- https://www.vulncheck.com/advisories/grav-before-information-disclosure-via-grav-config
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.