PatchSiren cyber security CVE debrief
CVE-2026-61454 getgrav CVE debrief
The Grav Admin2 plugin before 2.0.4 discloses sensitive information via a global JavaScript variable. This CVE record was published on 2026-07-11T14:16:23.630Z and has not been modified since then. The vulnerability allows an unauthenticated attacker to fingerprint the deployment and select version-specific exploits without reconnaissance. Users of Grav Admin2 plugin versions before 2.0.4 should update to the latest version to prevent information disclosure.
- Vendor
- getgrav
- Product
- grav
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-11
- Original CVE updated
- 2026-07-11
- Advisory published
- 2026-07-11
- Advisory updated
- 2026-07-11
Who should care
Users of Grav Admin2 plugin versions before 2.0.4 should update to the latest version to prevent information disclosure. Affected operators, platforms, vulnerability-management, and security teams should review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
Technical summary
The Grav Admin2 plugin embeds a global JavaScript variable window.__GRAV_CONFIG__ in the Admin2 SPA bootstrap page, disclosing server URL, API prefix, admin base path, runtime environment type, and exact Grav and Admin2 version numbers. This information disclosure vulnerability has a high CVSS score of 8.7, indicating high severity. Affected operators and security teams should review official advisories for specific deployment validation and mitigation strategies. Evidence is limited; defenders should monitor primary official records and vendor remediation guidance, and perform verification tasks to confirm affected scope and severity.
Defensive priority
High priority due to high CVSS score of 8.7 and potential for version-specific exploits
Recommended defensive actions
- Update Grav Admin2 plugin to version 2.0.4 or later
- Review and restrict access to /grav/admin and its subroutes
- Monitor for suspicious activity and version-specific exploits
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
Evidence is limited; primary official records and vendor remediation should be monitored. Additional evidence gathering and verification tasks are required to confirm affected scope and severity. Defenders should review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T14:16:23.630Z and has not been modified since then.