CVE-2026-29924
Published: 30 March 2026
Summary
CVE-2026-29924 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Getgrav Grav. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates SVG file uploads in the admin panel and File Manager to block malicious XML external entities that enable sensitive file disclosure.
Remediates the specific XXE flaw in Grav CMS v1.7.x SVG upload processing through timely patching from the official repository.
Restricts SVG file uploads by enforcing MIME types, extensions, and content restrictions to mitigate XXE exploitation risks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XXE in Grav CMS web app (admin/File Manager SVG upload) directly enables T1190 for exploiting the public-facing application over the network; successful file read impact directly facilitates T1005 for accessing sensitive data from the local system.
NVD Description
Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload functionality in the admin panel and File Manager plugin.
Deeper analysisAI
CVE-2026-29924 is an XML External Entity (XXE) vulnerability, mapped to CWE-611, affecting Grav CMS versions 1.7.x and earlier. The flaw exists in the SVG file upload functionality within the admin panel and File Manager plugin, as published on 2026-03-30. It carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L), reflecting high severity due to its potential for significant data exposure.
An authenticated attacker with low privileges, such as access to the admin panel, can exploit this over the network with low complexity and no user interaction required. Successful exploitation enables high confidentiality impact, allowing read access to sensitive files on the server, alongside low-level integrity and availability disruptions, all within the unchanged scope of the application.
Mitigation details and patches are referenced in the Grav GitHub repository at https://github.com/getgrav/grav. Security practitioners should consult this source for updates, workarounds, or version upgrades addressing the SVG upload processing.
Details
- CWE(s)