Grav CMS XML External Entity Vulnerability in SVG File Upload

Vulnerability

A vulnerability allowing XML External Entity (XXE) attacks has been identified in Grav CMS versions through 1.7.x. This issue arises from the SVG file upload feature in the admin panel, specifically within the File Manager plugin.

Impact

Exploitation of this vulnerability could lead to XML External Entity attacks, allowing an attacker to interfere with the application's processing of XML data. This could potentially be used to read local files or conduct a denial-of-service attack by causing the application to process an excessive amount of data.

Added: Mar 30, 2026, 7:24 PM

Updated: Mar 30, 2026, 7:24 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

6.1

remediation

0.0

relevance

4.9

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

6.1

remediation

0.0

relevance

4.9

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Grav CMS XML External Entity Vulnerability in SVG File Upload

Vulnerability

Impact

Affected Products

Grav

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating