CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-61454

mediumCVSS 5.3covered by 1 sourcefirst seen 2026-07-11
The Grav Admin2 plugin (getgrav/grav-plugin-admin2) before 2.0.4 embeds a global JavaScript variable window.__GRAV_CONFIG__ in the Admin2 SPA bootstrap page at /grav/admin (and its subroutes). This object is returned in every unauthenticated response and discloses the server URL, API prefix, admin base path, runtime environment type, and exact Grav and Admin2 version numbers, allowing an unauthenticated attacker to fingerprint the deployment and select version-specific exploits without reconnaissance.

⚡ Watch CVE-2026-61454

Get an email if CVE-2026-61454 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-61454

CVE.org record

Embed the live status

CVE-2026-61454 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-61454 status](https://www.csirts.com/badge/CVE-2026-61454)](https://www.csirts.com/cve/CVE-2026-61454)