๐Ÿ” CVE Alert

CVE-2026-55885

MEDIUM 6.8

Grav: Admin Backup Zip File Exposes Account Credentials and Configuration Secrets

CVSS Score
6.8
EPSS Score
0.2%
EPSS Percentile
7th

Grav is a file-based Web platform. Prior to 1.7.53, an authenticated administrator with backup permissions can download a ZIP archive containing the full Grav installation root, including user/accounts/admin.yaml with the administrator password hash and user/config with site configuration, through the backup download endpoint protected only by the session-static admin-nonce URL parameter. This issue is reported as fixed in version 1.7.53.

CWE CWE-312 CWE-522
Vendor getgrav
Product grav
Published Jul 10, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for getgrav grav

Be the first to know when new medium vulnerabilities affecting getgrav grav are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

getgrav / grav
< 1.7.53

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/getgrav/grav/security/advisories/GHSA-2f86-9cp8-6hcf github.com: https://github.com/getgrav/grav/releases/tag/1.7.53