PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-61454 getgrav CVE debrief

The Grav Admin2 plugin before 2.0.4 discloses sensitive information via a global JavaScript variable. This CVE record was published on 2026-07-11T14:16:23.630Z and has not been modified since then. The vulnerability allows an unauthenticated attacker to fingerprint the deployment and select version-specific exploits without reconnaissance. Users of Grav Admin2 plugin versions before 2.0.4 should update to the latest version to prevent information disclosure.

Vendor
getgrav
Product
grav
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-11
Original CVE updated
2026-07-11
Advisory published
2026-07-11
Advisory updated
2026-07-11

Who should care

Users of Grav Admin2 plugin versions before 2.0.4 should update to the latest version to prevent information disclosure. Affected operators, platforms, vulnerability-management, and security teams should review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.

Technical summary

The Grav Admin2 plugin embeds a global JavaScript variable window.__GRAV_CONFIG__ in the Admin2 SPA bootstrap page, disclosing server URL, API prefix, admin base path, runtime environment type, and exact Grav and Admin2 version numbers. This information disclosure vulnerability has a high CVSS score of 8.7, indicating high severity. Affected operators and security teams should review official advisories for specific deployment validation and mitigation strategies. Evidence is limited; defenders should monitor primary official records and vendor remediation guidance, and perform verification tasks to confirm affected scope and severity.

Defensive priority

High priority due to high CVSS score of 8.7 and potential for version-specific exploits

Recommended defensive actions

  • Update Grav Admin2 plugin to version 2.0.4 or later
  • Review and restrict access to /grav/admin and its subroutes
  • Monitor for suspicious activity and version-specific exploits
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

Evidence is limited; primary official records and vendor remediation should be monitored. Additional evidence gathering and verification tasks are required to confirm affected scope and severity. Defenders should review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T14:16:23.630Z and has not been modified since then.