Grav is a file-based Web platform. Prior to 1.7.53 and 2.0.0-rc.8, Grav allows an unauthenticated visitor to exhaust server memory and CPU by requesting image derivatives with oversized dimensions through URL query image actions such as forceResize in Grav::fallbackUrl, which passes request parameters to ImageMedium magic actions without a dimension or pixel ceiling. This issue is fixed in versions 1.7.53 and 2.0.0-rc.8.
{
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-770"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53653.json"
}{
"source": [
"AFFECTED_FIELD",
"REFERENCES"
],
"extracted_events": [
{
"introduced": "2.0.0-beta.1"
},
{
"fixed": "2.0.0-rc.8"
},
{
"introduced": "0"
},
{
"fixed": "1.7.53"
}
]
}