Cyber Resilience

CVE-2026-29924

High

Published: 30 March 2026

Published
30 March 2026
Modified
06 April 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.0008 24.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29924 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Getgrav Grav. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-29924 is an XML External Entity (XXE) vulnerability, mapped to CWE-611, affecting Grav CMS versions 1.7.x and earlier. The flaw exists in the SVG file upload functionality within the admin panel and File Manager plugin, as published on 2026-03-30. It carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L), reflecting high severity due to its potential for significant data exposure.

An authenticated attacker with low privileges, such as access to the admin panel, can exploit this over the network with low complexity and no user interaction required. Successful exploitation enables high confidentiality impact, allowing read access to sensitive files on the server, alongside low-level integrity and availability disruptions, all within the unchanged scope of the application.

Mitigation details and patches are referenced in the Grav GitHub repository at https://github.com/getgrav/grav. Security practitioners should consult this source for updates, workarounds, or version upgrades addressing the SVG upload processing.

EU & UK References

Vulnerability details

Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload functionality in the admin panel and File Manager plugin.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

XXE in Grav CMS web app (admin/File Manager SVG upload) directly enables T1190 for exploiting the public-facing application over the network; successful file read impact directly facilitates T1005 for accessing sensitive data from the local system.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2021-47812Same product: Getgrav Grav
CVE-2025-46198Same product: Getgrav Grav
CVE-2026-42608Same product: Getgrav Grav
CVE-2025-46199Same product: Getgrav Grav
CVE-2025-66294Same product: Getgrav Grav
CVE-2026-42612Same product: Getgrav Grav
CVE-2026-42611Same product: Getgrav Grav
CVE-2025-50286Same product: Getgrav Grav
CVE-2025-66299Same product: Getgrav Grav
CVE-2025-66301Same product: Getgrav Grav

Affected Assets

getgrav
grav
≤ 1.8.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates SVG file uploads in the admin panel and File Manager to block malicious XML external entities that enable sensitive file disclosure.

prevent

Remediates the specific XXE flaw in Grav CMS v1.7.x SVG upload processing through timely patching from the official repository.

prevent

Restricts SVG file uploads by enforcing MIME types, extensions, and content restrictions to mitigate XXE exploitation risks.

References