๐Ÿ” CVE Alert

CVE-2026-53653

UNKNOWN 0.0

Grav: Unauthenticated denial of service via unbounded image derivative dimensions

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Grav is a file-based Web platform. Prior to 1.7.53 and 2.0.0-rc.8, Grav allows an unauthenticated visitor to exhaust server memory and CPU by requesting image derivatives with oversized dimensions through URL query image actions such as forceResize in Grav::fallbackUrl, which passes request parameters to ImageMedium magic actions without a dimension or pixel ceiling. This issue is fixed in versions 1.7.53 and 2.0.0-rc.8.

CWE CWE-770
Vendor getgrav
Product grav
Published Jul 10, 2026
Last Updated Jul 10, 2026
Stay Ahead of the Next One

Get instant alerts for getgrav grav

Be the first to know when new unknown vulnerabilities affecting getgrav grav are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

getgrav / grav
>= 2.0.0-beta.1, < 2.0.0-rc.8 < 1.7.53

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/getgrav/grav/security/advisories/GHSA-4x9g-vw65-vvf9 github.com: https://github.com/getgrav/grav/commit/d9f9f0369a07ae5c96cde700c7949e1237b29cf6 github.com: https://github.com/getgrav/grav/commit/f4c0f42eea755cedad6f626b342c88d4cba72174 github.com: https://github.com/getgrav/grav/releases/tag/1.7.53 github.com: https://github.com/getgrav/grav/releases/tag/2.0.0-rc.8