Cyber Resilience

CVE-2021-47812

CriticalPublic PoC

Published: 16 January 2026

Published
16 January 2026
Modified
02 February 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0199 78.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2021-47812 is a critical-severity Missing Authorization (CWE-862) vulnerability in Getgrav Grav. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2021-47812 is an unauthenticated vulnerability in GravCMS 1.10.7 that allows remote attackers to write arbitrary YAML configuration files and execute PHP code through the scheduler endpoint. By exploiting the admin-nonce parameter, attackers can inject base64-encoded payloads to create malicious custom jobs capable of system command execution. The issue, published on 2026-01-16, carries a CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-862.

Remote attackers require no privileges or user interaction to exploit this flaw over the network with low attack complexity. Successful exploitation enables full remote code execution, including arbitrary system commands, resulting in high impacts on confidentiality, integrity, and availability of the affected GravCMS instance.

Advisories and references, including the GravCMS site (https://getgrav.org), an Exploit-DB proof-of-concept (https://www.exploit-db.com/exploits/49973), and a VulnCheck advisory (https://www.vulncheck.com/advisories/gravcms-arbitrary-yaml-writeupdate-unauthenticated), provide additional technical details on the vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

GravCMS 1.10.7 contains an unauthenticated vulnerability that allows remote attackers to write arbitrary YAML configuration and execute PHP code through the scheduler endpoint. Attackers can exploit the admin-nonce parameter to inject base64-encoded payloads and create malicious custom jobs with system…

more

command execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote code execution vulnerability in public-facing GravCMS web application via scheduler endpoint directly enables T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-46199Same product: Getgrav Grav
CVE-2026-42608Same product: Getgrav Grav
CVE-2025-46198Same product: Getgrav Grav
CVE-2026-42611Same product: Getgrav Grav
CVE-2025-66294Same product: Getgrav Grav
CVE-2026-42612Same product: Getgrav Grav
CVE-2026-29924Same product: Getgrav Grav
CVE-2025-66299Same product: Getgrav Grav
CVE-2025-50286Same product: Getgrav Grav
CVE-2025-66295Same product: Getgrav Grav

Affected Assets

getgrav
grav
1.10.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 explicitly authorizes and limits permitted actions without identification or authentication, preventing unauthenticated access to the vulnerable scheduler endpoint.

prevent

SI-10 validates and sanitizes inputs to the admin-nonce parameter and scheduler endpoint, blocking injection of base64-encoded malicious payloads.

prevent

SI-2 ensures timely patching of the specific flaw in GravCMS 1.10.7, eliminating the unauthenticated YAML write and PHP code execution vulnerability.

References