Back to overview

CVE-2026-55885

MEDIUM
6.8
CVSS 3.1
Description
Grav is a file-based Web platform. Prior to 1.7.53, an authenticated administrator with backup permissions can download a ZIP archive containing the full Grav installation root, including user/accounts/admin.yaml with the administrator password hash and user/config with site configuration, through the backup download endpoint protected only by the session-static admin-nonce URL parameter. This issue is reported as fixed in version 1.7.53.

Metadata

CVE ID
CVE-2026-55885
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-17 16:59 UTC
Published
2026-07-10 16:13 UTC
Last updated
2026-07-10 16:13 UTC
Primary CWE
CWE-312
CWE-312: Cleartext Storage of Sensitive Information
Vendor / Product
getgrav / grav
Sources
cve.org  ·  NVD

Severity & Metrics

6.8 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Affected products (1)
VendorProductPlatformVersions
getgrav grav < 1.7.53
Weakness (CWE)
CWESourceDescription
CWE-312 cna CWE-312: Cleartext Storage of Sensitive Information
CWE-522 cna CWE-522: Insufficiently Protected Credentials
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.8 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
References (2)
Back to overview