CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-61454: The Grav Admin2 plugin (getgrav/grav-plugin-admin2) before 2.0.4 embeds a global JavaScript variable window.__GRAV_CONFIG__ in the Admin2 SPA bootstrap page at /grav/admin (and its

mediumCVSS 5.3CVE-2026-61454
The Grav Admin2 plugin (getgrav/grav-plugin-admin2) before 2.0.4 embeds a global JavaScript variable window.__GRAV_CONFIG__ in the Admin2 SPA bootstrap page at /grav/admin (and its subroutes). This object is returned in every unauthenticated response and discloses the server URL, API prefix, admin base path, runtime environment type, and exact Grav and Admin2 version numbers, allowing an unauthenticated attacker to fingerprint the deployment and select version-specific exploits without reconnaissance.

Details

Source
NVD Recent CVEs (US · database · site)
Severity
medium — CVSS 5.3
Published
2026-07-11
Last updated
2026-07-11
Exploitation
Not in CISA KEV at last sync

Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-61454

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-61454coverage & exploitation statusNVD · CVE.org

More from NVD Recent CVEs