CVE-2026-59193
Grav CMS โ Improper Handling of Highly Compressed Data in Installer::unZip()
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Grav is a file-based Web platform. Prior to 2.0.0, an authenticated admin.super user can crash Grav or fill the disk by uploading a specially crafted ZIP archive through the Direct Install tool because Installer::unZip calls ZipArchive::extractTo without limits on uncompressed size, entry count, or directory depth. This issue is fixed in version 2.0.0.
| CWE | CWE-409 |
| Vendor | getgrav |
| Product | grav |
| Published | Jul 10, 2026 |
| Last Updated | Jul 10, 2026 |
Stay Ahead of the Next One
Get instant alerts for getgrav grav
Be the first to know when new unknown vulnerabilities affecting getgrav grav are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
getgrav / grav
>= 1.0.0, < 2.0.0