Grails Framework - 14 CVEs (Page 1/1)

About “Grails Framework”

A curated feed of “Grails Framework”-related CVEs appears below. We currently track 14 CVEs for this tag (all time). In the last 365 days, 0 were published. Average CVSS is 6.9 (all time), and 50% are rated High/Critical (all time). Top CWEs (all time): CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-264 - CWE-264, CWE-400 - Uncontrolled Resource Consumption.

In our taxonomy this topic maps to a LOW impact class. Language runtimes and libraries cascade through dependency graphs. Upgrade runtime and toolchain, pin versions, rebuild images, and enable SAST or DAST and linters. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: grails

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

Cycle	Release	Latest	Premier Support	EOL
7	2025-10-19	7.1.1	Unavailable	-
6	2023-07-24	6.2.3	2025-01-03	2025-10-19 Expired
5	2021-10-12	5.3.6	2023-07-24	2025-01-09 Expired
4	2019-07-11	4.1.4	Unavailable	2023-03-31 Expired
3	2015-03-31	3.3.18	Unavailable	2021-09-30 Expired
2	2011-12-15	2.6.1	Unavailable	2021-06-30 Expired
1	2009-05-14	1.3.9	Unavailable	2012-05-01 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS · RSS (expired) · ICS

Subscribe CVEs: RSS for “Grails Framework” · RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0

2023-12-21

Medium

CVE-2023-46131

Grails is a framework used to build web applications with the Groovy programming language. A specially crafted web request can lead to a JVM crash or denial of service. Any Grails framework applicati…

CVSS: 6.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD

2022-11-23

Critical

CVE-2022-41923

Grails Spring Security Core plugin is vulnerable to privilege escalation. The vulnerability allows an attacker access to one endpoint (i.e. the targeted endpoint) using the authorization requirements…

CVSS: 9.1 CWE: CWE-269 - Improper Privilege Management View on NVD

2022-07-19

Critical

CVE-2022-35912

In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker…

CVSS: 9.8 CWE: N/A View on NVD

2019-06-04

High

CVE-2019-12728

Grails before 3.3.10 used cleartext HTTP to resolve the SDKMan notification service. NOTE: users' apps were not resolving dependencies over cleartext HTTP.

CVSS: 8.1 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD

2018-12-20

High

CVE-2018-1000817

Asset Pipeline Grails Plugin Asset-pipeline plugin version Prior to 2.14.1.1, 2.15.1 and 3.0.6 contains a Incorrect Access Control vulnerability in Applications deployed in Jetty that can result in D…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD

2018-09-28

High

CVE-2018-17605

An issue was discovered in the Asset Pipeline plugin before 3.0.4 for Grails. An attacker can perform directory traversal via a crafted request when a servlet-based application is executed in Jetty,…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD

2018-06-26

Medium

CVE-2018-1000529

Grails Fields plugin version 2.2.7 contains a Cross Site Scripting (XSS) vulnerability in Using the display tag that can result in XSS . This vulnerability appears to have been fixed in 2.2.8.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

2018-03-19

High

CVE-2014-3626

The Grails Resource Plugin often has to exchange URIs for resources with other internal components. Those other components will decode any URI passed to them. To protect against directory traversal t…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD

2017-02-27

Medium

CVE-2017-6344

XML External Entity (XXE) vulnerability in Grails PDF Plugin 0.6 allows remote attackers to read arbitrary files via a crafted XML document.

CVSS: 5.9 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD

2017-01-23

High

CVE-2016-6521

Cross-site request forgery (CSRF) vulnerability in Grails console (aka Grails Debug Console and Grails Web Console) 2.0.7, 1.5.10, and earlier allows remote attackers to hijack the authentication of…

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD

2014-04-15

Medium

CVE-2014-2858

Directory traversal vulnerability in the Resources plugin 1.0.0 before 1.2.6 for Pivotal Grails 2.0.0 through 2.3.6 allows remote attackers to obtain sensitive information via unspecified vectors rel…

CVSS: 5.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD

Medium

CVE-2014-2857

The default configuration of the Resources plugin 1.0.0 before 1.2.6 for Pivotal Grails 2.0.0 through 2.3.6 does not properly restrict access to files in the META-INF directory, which allows remote a…

CVSS: 5.0 CWE: CWE-264 View on NVD

Medium

CVE-2014-0053

The default configuration of the Resources plugin 1.0.0 before 1.2.6 for Pivotal Grails 2.0.0 before 2.3.6 does not properly restrict access to files in the WEB-INF directory, which allows remote att…

CVSS: 5.0 CWE: CWE-264 View on NVD

2012-09-28

Medium

CVE-2012-1833

VMware SpringSource Grails before 1.3.8, and 2.x before 2.0.2, does not properly restrict data binding, which might allow remote attackers to bypass intended access restrictions and modify arbitrary…

CVSS: 5.0 CWE: CWE-264 View on NVD