PT-2026-57442 · Grav · Admin2
Nicl4Ssic
·
Published
2026-07-11
·
Updated
2026-07-11
·
CVE-2026-61454
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Grav Admin2 plugin versions prior to 2.0.4
Description
The Grav Admin2 plugin embeds a global JavaScript variable
window. GRAV CONFIG in the Admin2 SPA bootstrap page at the '/grav/admin' endpoint and its subroutes. This object is returned in every unauthenticated response, disclosing the server URL, API prefix, admin base path, runtime environment type, and exact Grav and Admin2 version numbers. This allows an unauthenticated attacker to fingerprint the deployment and select version-specific exploits without reconnaissance.Recommendations
Update the Grav Admin2 plugin to version 2.0.4 or later.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Admin2