{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-29924", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-30T19:20:28.827Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-30T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T18:20:40.823Z"}, "descriptions": [{"lang": "en", "value": "Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload functionality in the admin panel and File Manager plugin."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/getgrav/grav"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-611", "lang": "en", "description": "CWE-611 Improper Restriction of XML External Entity Reference"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T19:19:59.377941Z", "id": "CVE-2026-29924", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T19:20:28.827Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-29924", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T19:19:59.377941Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T19:18:47.139Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/getgrav/grav"}], "descriptions": [{"lang": "en", "value": "Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload functionality in the admin panel and File Manager plugin."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T18:20:40.823Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29924", "state": "PUBLISHED", "dateUpdated": "2026-03-30T19:20:28.827Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-30T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload functionality in the admin panel and File Manager plugin."}], "id": "CVE-2026-29924", "lastModified": "2026-03-30T20:16:20.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-30T19:16:24.470", "references": [{"source": "cve@mitre.org", "url": "https://github.com/getgrav/grav"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-30T19:24:12.997042+00:00", "value": {"mitigation_remediation": ["Update Grav CMS to the latest stable release (greater than 1.7.x) where the SVG upload entity resolution has been disabled.", "If an update is not immediately possible, disable the SVG file upload capability or block the File Manager plugin to prevent exploitation.", "Monitor for web requests attempting to enumerate local files or trigger external HTTP calls originating from SVG uploads.", "Patch or configure the underlying XML parser to disallow external entities if the CMS configuration allows custom PHP settings."], "summary": {"action": "Immediate Patch", "impact": "XML External Entity (XXE) issue allowing potential remote code execution or data exposure"}, "threat_synthesis": {"affected_systems": "The vulnerable product is Grav CMS, specifically releases 1.7.x and any earlier version. Systems running these releases without an update to a newer release are at risk.", "description_and_impact": "Grav CMS versions 1.7.x and earlier allow XML External Entities to be processed when an SVG file is uploaded via the admin panel or File Manager plugin. This weakness originates from the XML parser handling embedded entities without disabling external entity resolution. As a result, a crafted SVG file can instruct the server to access arbitrary local files, perform HTTP requests to external services, or otherwise cause the server to read or transmit sensitive data. The impact therefore spans confidentiality, integrity, and potentially availability of the CMS environment.", "risk_and_exploitability": "The vulnerability is remote in nature because it can be triggered by uploading a file through the web interface, but it generally requires access to the CMS admin area or the File Manager plugin. Without a publicly exposed admin interface this risk is reduced, yet administrators overexposing their CMS face a high likelihood of exploitation. No CVSS score is provided, but the classic XML External Entity flaw (CWE\u2011611) generally carries a high severity rating. EPSS data is unavailable and the flaw is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog, but the potential for data exfiltration or remote execution warrants urgent attention."}}}}, "created": "2026-03-30T20:56:16.823523+00:00", "title": "XML External Entity Vulnerability in Grav CMS SVG Upload", "updated": "2026-03-30T20:56:16.823564+00:00", "vendors": [], "weaknesses": ["CWE-611"]}