{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-29924", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-30T19:20:28.827Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-30T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T18:20:40.823Z"}, "descriptions": [{"lang": "en", "value": "Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload functionality in the admin panel and File Manager plugin."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/getgrav/grav"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-611", "lang": "en", "description": "CWE-611 Improper Restriction of XML External Entity Reference"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T19:19:59.377941Z", "id": "CVE-2026-29924", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T19:20:28.827Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-29924", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T19:19:59.377941Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T19:18:47.139Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/getgrav/grav"}], "descriptions": [{"lang": "en", "value": "Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload functionality in the admin panel and File Manager plugin."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T18:20:40.823Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29924", "state": "PUBLISHED", "dateUpdated": "2026-03-30T19:20:28.827Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-30T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*", "matchCriteriaId": "0F068841-DBCC-41D5-8B24-BFCE51841E2E", "versionEndExcluding": "1.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload functionality in the admin panel and File Manager plugin."}, {"lang": "es", "value": "Grav CMS v1.7.x y anteriores es vulnerable a entidad externa XML (XXE) a trav\u00e9s de la funcionalidad de carga de archivos SVG en el panel de administraci\u00f3n y el plugin File Manager."}], "id": "CVE-2026-29924", "lastModified": "2026-04-06T15:58:27.763", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-30T19:16:24.470", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/getgrav/grav"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.0)"}}], "enrichment": {"confidence": 78.0, "confidence_source": "inferred", "scores": [{"score": 78.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "grav_cms", "vendor": "getgrav"}], "analysis": {"en": {"generated_at": "2026-04-06T19:57:21.733972+00:00", "value": {"mitigation_remediation": ["Upgrade Grav CMS to a version newer than 1.7.x", "If an upgrade is not possible, disable SVG uploads or remove the File Manager plugin from the admin area", "Restrict access to the admin panel to trusted authenticated users and consider IP whitelisting", "Validate and sanitize uploaded files to eliminate XML entities"], "summary": {"action": "Upgrade", "impact": "Confidentiality breach"}, "threat_synthesis": {"affected_systems": "Grav CMS versions 1.7.x and earlier are affected. The flaw is present in the default SVG upload handling in the admin interface and the File Manager plugin of these releases.", "description_and_impact": "The vulnerability is an XML External Entity (XXE) flaw that is triggered when an SVG file is uploaded through the Grav CMS admin panel or its File Manager plugin. XXE flaws permit an attacker to instruct the server to read arbitrary files from the filesystem or to send requests to internal or external hosts. The description does not confirm that code execution is possible, but the flaw can expose sensitive data on the server. This vulnerability is categorized as CWE-611, indicating that attacker-provided external entities are processed by the XML parser.", "risk_and_exploitability": "The CVSS base score of 7.6 indicates a high severity, and the EPSS score of less than 1% suggests that exploitation attempts are currently rare. Because the flaw is accessed through the web\u2011based admin interface, an attacker would need authenticated or privileged access to upload a crafted SVG file. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via the web interface, requiring that the attacker has permissions to use the admin panel or the File Manager plugin."}}}}, "created": "2026-03-30T20:56:16.823523+00:00", "updated": "2026-04-07T08:08:41.261466+00:00", "vendors": ["getgrav", "getgrav$PRODUCT$grav_cms"]}