CVE-2021-47812

CriticalPublic PoC

Published: 16 January 2026

Published

16 January 2026

Modified

02 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0017 37.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

GravCMS 1.10.7 contains an unauthenticated vulnerability that allows remote attackers to write arbitrary YAML configuration and execute PHP code through the scheduler endpoint. Attackers can exploit the admin-nonce parameter to inject base64-encoded payloads and create malicious custom jobs with system…

command execution.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

AC-14 explicitly authorizes and limits permitted actions without identification or authentication, preventing unauthenticated access to the vulnerable scheduler endpoint.

SI-10 Information Input Validation good match

prevent

SI-10 validates and sanitizes inputs to the admin-nonce parameter and scheduler endpoint, blocking injection of base64-encoded malicious payloads.

SI-2 Flaw Remediation good match

prevent

SI-2 ensures timely patching of the specific flaw in GravCMS 1.10.7, eliminating the unauthenticated YAML write and PHP code execution vulnerability.

Security SummaryAI

CVE-2021-47812 is an unauthenticated vulnerability in GravCMS 1.10.7 that allows remote attackers to write arbitrary YAML configuration files and execute PHP code through the scheduler endpoint. By exploiting the admin-nonce parameter, attackers can inject base64-encoded payloads to create malicious custom jobs capable of system command execution. The issue, published on 2026-01-16, carries a CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-862.

Remote attackers require no privileges or user interaction to exploit this flaw over the network with low attack complexity. Successful exploitation enables full remote code execution, including arbitrary system commands, resulting in high impacts on confidentiality, integrity, and availability of the affected GravCMS instance.

Advisories and references, including the GravCMS site (https://getgrav.org), an Exploit-DB proof-of-concept (https://www.exploit-db.com/exploits/49973), and a VulnCheck advisory (https://www.vulncheck.com/advisories/gravcms-arbitrary-yaml-writeupdate-unauthenticated), provide additional technical details on the vulnerability.

Details

CWE(s): CWE-862

Affected Products

getgrav

grav

1.10.7

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated remote code execution vulnerability in public-facing GravCMS web application via scheduler endpoint directly enables T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://getgrav.org
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/49973
Exploit · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/gravcms-arbitrary-yaml-writeupdate-unauthenticated
Third Party Advisory · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/49973
Exploit · 134c704f-9b21-4f2e-91b3-4a467353bcc0