CVE-2026-61454: The Grav Admin2 plugin (getgrav/grav-plugin-admin2) before 2.0.4 embeds a global JavaScript variable window.__GRAV_CONFIG__ in the Admin2 SPA bootstrap page at /grav/admin (and its
The Grav Admin2 plugin (getgrav/grav-plugin-admin2) before 2.0.4 embeds a global JavaScript variable window.__GRAV_CONFIG__ in the Admin2 SPA bootstrap page at /grav/admin (and its subroutes). This object is returned in every unauthenticated response and discloses the server URL, API prefix, admin base path, runtime environment type, and exact Grav and Admin2 version numbers, allowing an unauthenticated attacker to fingerprint the deployment and select version-specific exploits without reconnaissance.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-61454
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-61454 | coverage & exploitation status | NVD · CVE.org |
More from NVD Recent CVEs
- lowCVE-2026-61870: ImageMagick before 7.1.2-26 contains a memory leak vulnerability in the VIFF encoder when memo…2026-07-11
- lowCVE-2026-61861: ImageMagick before 7.1.2-26 contains a use-after-free vulnerability in the FormatMagickCaption…2026-07-11
- lowCVE-2026-61858: ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and ext…2026-07-11
- lowCVE-2026-61857: ImageMagick before 7.1.2-26 contains a heap use-after-free vulnerability caused by missing nul…2026-07-11
- lowCVE-2026-61465: ImageMagick before 7.1.2-26 and 6.9.13-51 is missing a check for the allowed memory allocation…2026-07-11