CVE-2026-61454 in Grav Plugininformação

Sumário

de MITRE • 11/07/2026

The Grav Admin2 plugin (getgrav/grav-plugin-admin2) before 2.0.4 embeds a global JavaScript variable window.__GRAV_CONFIG__ in the Admin2 SPA bootstrap page at /grav/admin (and its subroutes). This object is returned in every unauthenticated response and discloses the server URL, API prefix, admin base path, runtime environment type, and exact Grav and Admin2 version numbers, allowing an unauthenticated attacker to fingerprint the deployment and select version-specific exploits without reconnaissance.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Responsável

VulnCheck

Reservar

09/07/2026

Divulgação

11/07/2026

Moderação

aceite

Entrada

VDB-377828

CPE

pronto

EPSS

0.00000

KEV

não

Atividades

muito baixo

Fontes

Interested in the pricing of exploits?

See the underground prices here!