CMS
getgrav/grav
Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS powered by PHP, Markdown, Twig, and Symfony
#php#cms#flat-file#content#website#grav#content-management#twig#yaml#symfony#doctrine#php7#website-builder#website-generation#markdown
スコア
80
/ 100
Star
15,491
Fork
1,409
Open Issue
432
サイズ
32MB
言語
PHP ★
最終push
2 日前
Docker
—
採点内訳
過去CVE 17件 (やや多い)
✓直近 push: 2 日前
✓得意言語 (PHP)
✓オープンissue 432件
✓中規模 (32MB)
✓Docker 未対応
—10k–50k: 中級 (★15,491)
—※ 各項目の重みは「採点ルール」を参照。合計は 0 で底打ち。
過去の SecurityAdvisory (20 件)
- Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()
- Stored Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][title]
- Anonymous Page Content Overwrite via Form File Upload filename Override
- Low-privileged API users can create super-admin accounts via blueprint-upload
- Stored XSS via Tag Injection
- XXE via SVG Upload
- [ZERO-DAY] Unauthenticated Path Traversal & Arbitrary File Write in FormFlash component.
- Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic
- Insecure Deserialization in File Cache
- Multiple RCE vectors: unsafe unserialize (x3), command injection in git clone, SSTI blocklist bypass (CWE-502, CWE-78, CWE-1336)
- Publisher-Level Stored XSS via Unquoted Event Attributes
- Sensitive Information Disclosure via Accounts Service Bypass
- Privilege Escalation via Missing Server-Side Validation of groups/access
- XSS via Taxonomy Field Values in Admin Panel
- Stored XSS via Markdown media attribute() action in Grav CMS
- Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature
- Grav API Privilege Escalation to Super Admin
- Grav v1.7.49.5 / Admin v1.10.49.1 – User Enumeration & Email Disclosure
- Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption
- Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover