CVE-2021-47812
Published: 16 January 2026
Summary
CVE-2021-47812 is a critical-severity Missing Authorization (CWE-862) vulnerability in Getgrav Grav. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 explicitly authorizes and limits permitted actions without identification or authentication, preventing unauthenticated access to the vulnerable scheduler endpoint.
SI-10 validates and sanitizes inputs to the admin-nonce parameter and scheduler endpoint, blocking injection of base64-encoded malicious payloads.
SI-2 ensures timely patching of the specific flaw in GravCMS 1.10.7, eliminating the unauthenticated YAML write and PHP code execution vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote code execution vulnerability in public-facing GravCMS web application via scheduler endpoint directly enables T1190: Exploit Public-Facing Application.
NVD Description
GravCMS 1.10.7 contains an unauthenticated vulnerability that allows remote attackers to write arbitrary YAML configuration and execute PHP code through the scheduler endpoint. Attackers can exploit the admin-nonce parameter to inject base64-encoded payloads and create malicious custom jobs with system…
more
command execution.
Deeper analysisAI
CVE-2021-47812 is an unauthenticated vulnerability in GravCMS 1.10.7 that allows remote attackers to write arbitrary YAML configuration files and execute PHP code through the scheduler endpoint. By exploiting the admin-nonce parameter, attackers can inject base64-encoded payloads to create malicious custom jobs capable of system command execution. The issue, published on 2026-01-16, carries a CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-862.
Remote attackers require no privileges or user interaction to exploit this flaw over the network with low attack complexity. Successful exploitation enables full remote code execution, including arbitrary system commands, resulting in high impacts on confidentiality, integrity, and availability of the affected GravCMS instance.
Advisories and references, including the GravCMS site (https://getgrav.org), an Exploit-DB proof-of-concept (https://www.exploit-db.com/exploits/49973), and a VulnCheck advisory (https://www.vulncheck.com/advisories/gravcms-arbitrary-yaml-writeupdate-unauthenticated), provide additional technical details on the vulnerability.
Details
- CWE(s)