PT-2026-57442 · Grav · Admin2

Nicl4Ssic

·

Published

2026-07-11

·

Updated

2026-07-11

·

CVE-2026-61454

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Name of the Vulnerable Software and Affected Versions Grav Admin2 plugin versions prior to 2.0.4
Description The Grav Admin2 plugin embeds a global JavaScript variable window. GRAV CONFIG in the Admin2 SPA bootstrap page at the '/grav/admin' endpoint and its subroutes. This object is returned in every unauthenticated response, disclosing the server URL, API prefix, admin base path, runtime environment type, and exact Grav and Admin2 version numbers. This allows an unauthenticated attacker to fingerprint the deployment and select version-specific exploits without reconnaissance.
Recommendations Update the Grav Admin2 plugin to version 2.0.4 or later.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-61454

Affected Products

Admin2