Skip to content
Grav 2.0 is officially stable. Read the announcement →
Downloads

Everything Grav

Download Grav

Grav Core is the base package with core functionality and a few essential starting pages. Grav Core + Admin also includes the Administration Panel plugin. Both are easy to get started with — check out our Basic Tutorial and Guide to the Administration Panel.

STABLE · v2.0.6 · updated 4 days ago

Latest stable release

Production-ready. The version we recommend for every new site and every upgrade of an existing one.

Get Started

1

Quick installation

  1. Download either the Grav Core or Grav Core + Admin2 plugin installation package.
  2. Extract the zip file into your webroot.
  3. Point your browser at your local webserver: http://yoursite.com
2

How to install the Admin2 plugin

If you have not already installed the admin plugin, you can do so easily with GPM:

$

This will install the admin plugin plus its dependencies (api & login). After this is complete, point your browser to your Grav installation and you will be prompted to create a new admin user.

Changelog

v2.0.6 Latest 4 days ago
    • [security] Flex user avatars stored under user/accounts/<username>/ (folder storage) are now served too; the 2.0.5 avatar carve-out only covered the flatfile user/accounts/avatars/ layout, so folder-storage avatars kept returning a 403. Existing sites self-heal on upgrade. Fixes getgrav/grav#4185.
v2.0.5 4 days ago
    • A page's translatedLanguages() now returns each language's own route, so a translation with a localized slug: produces the correct cross-language link instead of repeating the default language's URL. Fixes getgrav/grav#4183.
    • [security] Profile avatars display again instead of returning a 403; the folder hardening that locked down user/accounts now makes a narrow exception for avatar images while account data such as password hashes stays blocked, and existing sites self-heal on upgrade. Fixes getgrav/grav#4185.
    • Loading a page no longer fails with a "Failed to write cache file" error when Grav can't save the compiled template cache, such as on a shared folder, a full disk, or during a save-then-reload race; the page still renders and the problem is logged instead. Fixes getgrav/grav#4184.
v2.0.4 5 days ago
    • Plugins can now register trusted iframe hosts so legitimate provider embeds (such as YouTube) are no longer blanked by the content XSS scan on hardened sites.
    • Added an onXssTrustedMarkup event that lets a plugin exempt its own rendered markup from the content XSS scan without weakening it for editor-authored content.
    • [security] Grav's .htaccess rules blocking sensitive folders and files are now matched case-insensitively, closing a bypass where, on case-insensitive filesystems (Windows, macOS, some Docker mounts), a differently-cased request could reach files such as account and config YAML; existing sites are healed on upgrade (GHSA-vwg3-w8w3-pc79).
    • [security] The user/data folder now ships a media-aware allowlist that serves uploaded assets such as images, fonts, CSS and JS while keeping data files like YAML and JSON blocked, and upgrading widens an over-narrow allowlist from earlier security updates in place so legitimate theme assets stop returning 403. Fixes getgrav/grav#4169.
    • [security] The Twig regex_replace filter now returns its input unchanged instead of null when a pattern hits a PCRE error such as a backtrack-limit, so a catastrophic pattern can no longer break output (GHSA-37f3-6p89-6qr9).
    • bin/gpm self-upgrade no longer fails on shared-folder setups such as a VirtualBox shared folder, where the bin directory holding the running script could not be deleted, by overwriting the upgrade files in place instead. Fixes getgrav/grav#4171.
    • Debug messages logged during API requests now reach the Admin2 API debug panel and Clockwork even when the debugger is set to PHP DebugBar, which can only display on normal pages. Fixes getgrav/grav-plugin-admin2#76.
    • Resizing an image larger than its original size with ?resize= no longer pads it onto an oversized canvas with a white border, returning the image at its natural size instead unless ?forceresize is used. Fixes getgrav/grav#4173.
    • Turning off the Twig sandbox no longer breaks pages or modules that contain a form, which previously failed with a "SandboxExtension extension is not enabled" error. Fixes getgrav/grav#4175.
    • A blueprint validation error now names the value it rejected, so a message like "Invalid input in Process" explains what actually caused it instead of leaving you guessing. Relates to getgrav/grav#4178.
    • Adding a blocked item to the Twig sandbox allowlist from the Tools report now clears that block from the recent-blocks list, so a resolved entry no longer lingers as if nothing happened. Fixes getgrav/grav-plugin-admin2#85.
v2.0.3 1 week ago
    • Added an optional system.session.read_and_close setting that releases the session as soon as it has been read, so a site's simultaneous requests no longer queue up one behind another waiting on the session; off by default.
    • A bin/gpm self-upgrade that stops while replacing core files now names the exact file or folder it could not remove and the reason why, and points out when the file is owned by a different user than the one running the command, which is the usual cause of an upgrade that works from the admin but fails on the command line. Fixes getgrav/grav#4162.
v2.0.2 1 week ago
    • [security] ZIP extraction in both Direct Install and the internal archiver now enforces the uncompressed-size limit against the bytes actually written, rather than the size each entry claims, so an archive that understates its real size can no longer slip a decompression bomb past the limit (GHSA-8h9x-89f2-m7x3).
    • [security] Editor-authored Twig in page content can no longer read configuration secrets by dumping the config object through a filter such as print_r or json_encode, closing a sandbox bypass that exposed plugin credentials and API keys (GHSA-mc5q-6hpj-rp7j).
    • A failed bin/gpm self-upgrade now reports the specific reason it stopped and records the full details in logs/grav.log, instead of showing a generic "Unknown error" with nothing to act on. Fixes getgrav/grav#4158.
    • A page that displays inline SVG or MathML icons, such as the svg-icon shortcode or GitHub-style alert callouts, no longer renders blank when page-content Twig processing is enabled, because the render-time security scan now skips that legitimate icon markup while still catching injected scripts around it.
v2.0.1 2 weeks ago
    • [security] ZIP archives extracted through the internal ZipArchiver are now rejected when their contents exceed safe limits on total uncompressed size, file count, or folder nesting depth, closing a second extraction path with the same decompression-bomb risk that was fixed for Direct Install (GHSA-928x-9mpw-8h56).
    • [security] Editor-authored Twig in page content now has its rendered output re-checked for XSS, closing a bypass where a payload assembled at render time (such as {{ "on" ~ "error" }}) passed the source validator and then emitted live markup (GHSA-2c4f-86xc-cr74).
    • A page marked Visible in the admin no longer vanishes from navigation after saving, because a blank visibility setting now falls back to its normal default instead of being read as hidden. Fixes getgrav/grav#4153.
v2.0.6 Latest 4 days ago
    • [security] Flex user avatars stored under user/accounts/<username>/ (folder storage) are now served too; the 2.0.5 avatar carve-out only covered the flatfile user/accounts/avatars/ layout, so folder-storage avatars kept returning a 403. Existing sites self-heal on upgrade. Fixes getgrav/grav#4185.
v2.0.5 4 days ago
    • A page's translatedLanguages() now returns each language's own route, so a translation with a localized slug: produces the correct cross-language link instead of repeating the default language's URL. Fixes getgrav/grav#4183.
    • [security] Profile avatars display again instead of returning a 403; the folder hardening that locked down user/accounts now makes a narrow exception for avatar images while account data such as password hashes stays blocked, and existing sites self-heal on upgrade. Fixes getgrav/grav#4185.
    • Loading a page no longer fails with a "Failed to write cache file" error when Grav can't save the compiled template cache, such as on a shared folder, a full disk, or during a save-then-reload race; the page still renders and the problem is logged instead. Fixes getgrav/grav#4184.
v2.0.4 5 days ago
    • Plugins can now register trusted iframe hosts so legitimate provider embeds (such as YouTube) are no longer blanked by the content XSS scan on hardened sites.
    • Added an onXssTrustedMarkup event that lets a plugin exempt its own rendered markup from the content XSS scan without weakening it for editor-authored content.
    • [security] Grav's .htaccess rules blocking sensitive folders and files are now matched case-insensitively, closing a bypass where, on case-insensitive filesystems (Windows, macOS, some Docker mounts), a differently-cased request could reach files such as account and config YAML; existing sites are healed on upgrade (GHSA-vwg3-w8w3-pc79).
    • [security] The user/data folder now ships a media-aware allowlist that serves uploaded assets such as images, fonts, CSS and JS while keeping data files like YAML and JSON blocked, and upgrading widens an over-narrow allowlist from earlier security updates in place so legitimate theme assets stop returning 403. Fixes getgrav/grav#4169.
    • [security] The Twig regex_replace filter now returns its input unchanged instead of null when a pattern hits a PCRE error such as a backtrack-limit, so a catastrophic pattern can no longer break output (GHSA-37f3-6p89-6qr9).
    • bin/gpm self-upgrade no longer fails on shared-folder setups such as a VirtualBox shared folder, where the bin directory holding the running script could not be deleted, by overwriting the upgrade files in place instead. Fixes getgrav/grav#4171.
    • Debug messages logged during API requests now reach the Admin2 API debug panel and Clockwork even when the debugger is set to PHP DebugBar, which can only display on normal pages. Fixes getgrav/grav-plugin-admin2#76.
    • Resizing an image larger than its original size with ?resize= no longer pads it onto an oversized canvas with a white border, returning the image at its natural size instead unless ?forceresize is used. Fixes getgrav/grav#4173.
    • Turning off the Twig sandbox no longer breaks pages or modules that contain a form, which previously failed with a "SandboxExtension extension is not enabled" error. Fixes getgrav/grav#4175.
    • A blueprint validation error now names the value it rejected, so a message like "Invalid input in Process" explains what actually caused it instead of leaving you guessing. Relates to getgrav/grav#4178.
    • Adding a blocked item to the Twig sandbox allowlist from the Tools report now clears that block from the recent-blocks list, so a resolved entry no longer lingers as if nothing happened. Fixes getgrav/grav-plugin-admin2#85.
v2.0.3 1 week ago
    • Added an optional system.session.read_and_close setting that releases the session as soon as it has been read, so a site's simultaneous requests no longer queue up one behind another waiting on the session; off by default.
    • A bin/gpm self-upgrade that stops while replacing core files now names the exact file or folder it could not remove and the reason why, and points out when the file is owned by a different user than the one running the command, which is the usual cause of an upgrade that works from the admin but fails on the command line. Fixes getgrav/grav#4162.
v2.0.2 1 week ago
    • [security] ZIP extraction in both Direct Install and the internal archiver now enforces the uncompressed-size limit against the bytes actually written, rather than the size each entry claims, so an archive that understates its real size can no longer slip a decompression bomb past the limit (GHSA-8h9x-89f2-m7x3).
    • [security] Editor-authored Twig in page content can no longer read configuration secrets by dumping the config object through a filter such as print_r or json_encode, closing a sandbox bypass that exposed plugin credentials and API keys (GHSA-mc5q-6hpj-rp7j).
    • A failed bin/gpm self-upgrade now reports the specific reason it stopped and records the full details in logs/grav.log, instead of showing a generic "Unknown error" with nothing to act on. Fixes getgrav/grav#4158.
    • A page that displays inline SVG or MathML icons, such as the svg-icon shortcode or GitHub-style alert callouts, no longer renders blank when page-content Twig processing is enabled, because the render-time security scan now skips that legitimate icon markup while still catching injected scripts around it.
v2.0.1 2 weeks ago
    • [security] ZIP archives extracted through the internal ZipArchiver are now rejected when their contents exceed safe limits on total uncompressed size, file count, or folder nesting depth, closing a second extraction path with the same decompression-bomb risk that was fixed for Direct Install (GHSA-928x-9mpw-8h56).
    • [security] Editor-authored Twig in page content now has its rendered output re-checked for XSS, closing a bypass where a payload assembled at render time (such as {{ "on" ~ "error" }}) passed the source validator and then emitted live markup (GHSA-2c4f-86xc-cr74).
    • A page marked Visible in the admin no longer vanishes from navigation after saving, because a blank visibility setting now falls back to its normal default instead of being read as hidden. Fixes getgrav/grav#4153.