The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-29924

CVE-2026-29924: Grav CMS XXE Vulnerability via SVG Upload

CVE-2026-29924 is an XML External Entity (XXE) vulnerability in Grav CMS v1.7.x and earlier via SVG file uploads in the admin panel. Attackers can exploit this to access sensitive data or execute attacks.

Published: April 2, 2026

CVE-2026-29924 Overview

Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload functionality in the admin panel and File Manager plugin. This vulnerability allows authenticated attackers to exploit improper XML parsing when processing SVG files, potentially leading to sensitive data exposure, server-side request forgery, and denial of service conditions.

Critical Impact

Authenticated attackers can exploit SVG file uploads to read sensitive server files, perform SSRF attacks, and potentially compromise the underlying system through XML External Entity injection.

Affected Products

  • Grav CMS v1.7.x and earlier versions
  • Grav Admin Panel with SVG upload capability
  • Grav File Manager Plugin

Discovery Timeline

  • 2026-03-30 - CVE CVE-2026-29924 published to NVD
  • 2026-04-01 - Last updated in NVD database

Technical Details for CVE-2026-29924

Vulnerability Analysis

This vulnerability is classified as CWE-611 (Improper Restriction of XML External Entity Reference). The flaw exists in how Grav CMS processes SVG file uploads within the admin panel and File Manager plugin. SVG files are XML-based vector graphics that can contain Document Type Definitions (DTDs) with external entity declarations. When the application parses these SVG files without properly disabling external entity processing, an attacker can inject malicious XML entities that reference local files or external resources.

The vulnerability requires authenticated access to the admin panel or File Manager plugin, meaning an attacker would need valid credentials before exploiting this issue. However, once authenticated, the attacker can craft malicious SVG files containing XXE payloads to exfiltrate sensitive data from the server filesystem, probe internal network resources, or cause denial of service through entity expansion attacks.

Root Cause

The root cause of this vulnerability is the improper configuration of the XML parser used to process SVG file uploads in Grav CMS. When SVG files are uploaded through the admin panel or File Manager plugin, the XML parser does not disable external entity resolution. This allows the parser to fetch and include content from external URIs or local file paths specified within DTD declarations embedded in the SVG file. Proper secure XML parsing should disable libxml_disable_entity_loader() and configure the parser to prevent external entity processing.

Attack Vector

The attack vector is network-based and requires low-privilege authenticated access. An attacker with access to the Grav CMS admin panel can upload a specially crafted SVG file containing XXE payloads. The malicious SVG would include a DTD declaration with external entity references pointing to sensitive files such as /etc/passwd, configuration files, or internal network endpoints.

When the server processes the uploaded SVG (during preview generation, rendering, or validation), the XML parser resolves the external entities, causing the contents of referenced files or resources to be included in the response or error messages. This can lead to disclosure of sensitive configuration data, database credentials, or other confidential information stored on the server.

The vulnerability mechanism exploits the SVG file upload feature. When a malicious SVG containing DTD declarations with external entity references is uploaded, the XML parser processes these entities, resolving them to local file paths or external URLs. See the Grav GitHub repository for technical details and updates.

Detection Methods for CVE-2026-29924

Indicators of Compromise

  • SVG file uploads containing suspicious DTD declarations or ENTITY keywords in the admin panel upload logs
  • Unusual file access patterns on sensitive system files such as /etc/passwd, /etc/shadow, or application configuration files
  • Error logs showing XML parsing errors referencing external URIs or local file paths
  • Outbound network connections from the web server to unexpected internal or external destinations

Detection Strategies

  • Monitor and log all SVG file uploads to the Grav CMS admin panel and File Manager plugin
  • Implement content inspection rules to detect XXE payloads in uploaded XML-based files (SVG, XML, XHTML)
  • Configure web application firewall (WAF) rules to block requests containing DTD declarations or ENTITY references
  • Enable verbose logging for XML parsing operations to capture potential exploitation attempts

Monitoring Recommendations

  • Implement file integrity monitoring on sensitive configuration files and system files
  • Configure SIEM alerts for unusual file read operations initiated by the web server process
  • Monitor for outbound connections from the web application server to internal network segments or external resources
  • Review admin panel authentication logs for unauthorized access attempts preceding file upload activity

How to Mitigate CVE-2026-29924

Immediate Actions Required

  • Restrict SVG file uploads in the Grav CMS admin panel until a patch is applied
  • Implement input validation to strip or reject SVG files containing DTD declarations
  • Review and audit existing uploaded SVG files for potential malicious content
  • Limit admin panel access to trusted users and network segments

Patch Information

Organizations should monitor the Grav CMS GitHub repository for official security patches addressing this XXE vulnerability. Until a patch is released, implement the workarounds described below to reduce exposure. Ensure you are subscribed to Grav CMS security announcements to receive timely updates when fixes become available.

Workarounds

  • Disable SVG file uploads entirely in the Grav CMS configuration until a patch is available
  • Configure the PHP XML parser to disable external entity loading using libxml_disable_entity_loader(true) at the application level
  • Implement server-side SVG sanitization to strip DOCTYPE declarations and ENTITY references before processing
  • Use a web application firewall to filter and block SVG uploads containing XXE payloads

Disable external entity loading in PHP to mitigate XXE attacks:

bash
# Add to php.ini or application configuration
# Disable external entity loading for PHP's libxml
libxml_disable_entity_loader(true);

# For Grav CMS, consider adding to user/config/system.yaml:
# security:
#   svg_uploads: false

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeXXE
  • Vendor/TechGrav Cms
  • SeverityHIGH
  • CVSS Score7.6
  • EPSS Probability0.06%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityLow
  • CWE References
  • CWE-611
  • Technical References
  • GitHub PoC Repository
  • Related CVEs
  • CVE-2020-36955: Grav CMS Admin Plugin XSS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English