๐Ÿ” CVE Alert

CVE-2026-61449

MEDIUM 6.5

Grav before 2.0.2 Decompression Bomb via Forged ZIP Size

CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th

Grav 2.0.1 contains a decompression-bomb size-cap bypass in ZipArchiver and GPM\Installer. The size bound introduced in 2.0.1 sums the uncompressed size declared in each entry's ZIP central-directory header (ZipArchive::statIndex()['size']) and rejects archives exceeding system.gpm.archive.max_uncompressed_size before extraction. Because this declared size is attacker-forgeable and is not cross-checked against the actual inflated stream, a crafted archive declaring tiny per-entry sizes passes the cap while extractTo() writes the real, much larger content, filling disk or exhausting inodes. The archive must be supplied by a package source or admin upload (admin/operator trust). Fixed in 2.0.2. This is an incomplete fix for GHSA-928x-9mpw-8h56.

CWE CWE-409
Vendor getgrav
Product grav
Published Jul 15, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for getgrav grav

Be the first to know when new medium vulnerabilities affecting getgrav grav are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Affected Versions

getgrav / grav
0 < 2.0.2

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/getgrav/grav/security/advisories/GHSA-8h9x-89f2-m7x3 vulncheck.com: https://www.vulncheck.com/advisories/grav-before-decompression-bomb-via-forged-zip-size

Credits

๐Ÿ” iliaal