CVE-2026-61454 PUBLISHED

Grav before 2.0.4 Information Disclosure via __GRAV_CONFIG__

Assigner: VulnCheck
Reserved: 09.07.2026 Published: 11.07.2026 Updated: 11.07.2026

The Grav Admin2 plugin (getgrav/grav-plugin-admin2) before 2.0.4 embeds a global JavaScript variable window.GRAV_CONFIG in the Admin2 SPA bootstrap page at /grav/admin (and its subroutes). This object is returned in every unauthenticated response and discloses the server URL, API prefix, admin base path, runtime environment type, and exact Grav and Admin2 version numbers, allowing an unauthenticated attacker to fingerprint the deployment and select version-specific exploits without reconnaissance.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor getgrav
Product grav
Versions Default: unaffected
  • affected from 0 to 2.0.4 (excl.)
  • Version 2.0.4 is unaffected

Credits

  • nicl4ssic reporter

References

Problem Types

  • Exposure of Sensitive Information to an Unauthorized Actor CWE