Skip to content
Grav 2.0 is officially stable. Read the announcement →
Downloads

Everything Grav

Download Grav

Grav Core is the base package with core functionality and a few essential starting pages. Grav Core + Admin also includes the Administration Panel plugin. Both are easy to get started with — check out our Basic Tutorial and Guide to the Administration Panel.

STABLE · v2.0.0 · updated 1 day ago

Latest stable release

Production-ready. The version we recommend for every new site and every upgrade of an existing one.

Get Started

1

Quick installation

  1. Download either the Grav Core or Grav Core + Admin plugin installation package.
  2. Extract the zip file into your webroot.
  3. Point your browser at your local webserver: http://yoursite.com
2

How to install the Admin plugin

If you have not already installed the admin plugin, you can do so easily with GPM:

$

This will install the admin plugin plus its dependencies (login, form, email). After this is complete, point your browser to your Grav installation and you will be prompted to create a new admin user.

3

How to update

Please update Grav first, and then the other plugins.

If you are using the admin plugin, you can simply Update Grav itself from the notice. You can use the Update button in upper-right, or check for plugin updates with the Check for updates button in the top-right. Updating is as simple as that. Navigate to the root of the Grav install in your command line and type:

$

Additionally you should update all your plugins and themes to the latest version, including the admin plugin if you have that installed:

$
Read the Documentation

Changelog

v2.0.0 Latest 2 days ago
    • Grav Version 2.0 stable is released - read all about it here: https://getgrav.org/blog/grav-2-stable-released
    • [security] Install packages uploaded through Direct Install are now rejected when their contents exceed safe limits on total uncompressed size, file count, or folder nesting depth, so a crafted archive can no longer fill the disk, exhaust inodes, or crash extraction (GHSA-2vcx-h8p2-9pg9).
v2.0.0-rc.10 4 days ago
    • [security] Image resize in page content (for example ![logo](img.png?resize=...)) now only accepts numeric dimensions, closing a stored CSS injection where a crafted resize value could write extra style declarations, such as a full-page overlay, into the image for a higher-privileged viewer (CWE-79). Media actions in an image URL are now limited to the documented set, so page content can no longer reach other internal methods on a media object, and inline styles are validated again when the image is rendered. Thanks to @DavidCarliez for the report.
    • Twig in page content that puts an output tag inside an if block, such as {% if x %}{{ y }}{% endif %}, no longer fails with an "Unknown endif tag" error when Markdown runs first. Fixes getgrav/grav#4126.
    • Twig in the content of a modular page's modules, such as a {% include %} tag, is now processed the same way it is in a regular page instead of being left as literal text. Fixes getgrav/grav#4142.
    • Hyphenized anchors and slugs now keep accented and other Unicode letters such as ä, ö and ü instead of mangling them, so on-page menu links to modules with those characters point to the right place. Thanks to @Xoriander. getgrav/grav#4143
v2.0.0-rc.9 6 days ago
    • Added a GRAV_ENV_PATH environment variable that loads the .env file(s) from a directory or file path outside the web root, so secrets such as API keys no longer have to live in the publicly served document root.
    • Added an onFlexObjectMedia event so a plugin can rewrite a flex object's media links, letting the original files be served through a controlled route while resized or cropped versions still load straight from the image cache.
    • [security] Inline styles set on an image from page content (for example ![logo](img.png?style=...)) are now limited to safe layout CSS, so an editor can no longer store a full-page overlay or a url() callout that would target an administrator viewing the page (CWE-79). Thanks to @CyberKareem for the report.
    • [security] Direct web access to the user/accounts, user/config, user/data and user/env folders is now blocked in every bundled webserver config, closing a hole where files such as certificates, tokens and databases stored under user/data with an unlisted extension could be downloaded directly.
    • [security] A backup deny-all .htaccess now ships inside user/accounts, user/config and user/data so Apache installs stay protected even when the site root .htaccess has been customised or is out of date.
    • [security] The upgrade postflight now patches an existing stock root .htaccess to add the folder block automatically, so installs that updated from an earlier version are protected without editing the file by hand.
    • The new user/data block now makes an exception for public media uploads, such as Flex Object images, so they keep displaying instead of returning a 403, while data files, databases and keys stay blocked. Fixes getgrav/grav#4129.
    • [security] The Twig filesystem helpers such as read_file and file_exists now reject ../ path traversal and null bytes in their argument, an extra safeguard on top of the sandbox that already keeps these functions out of editor-authored page content.
v1.7.53 6 days ago
    • [security] Direct web access to the user/accounts, user/config, user/data and user/env folders is now blocked outright in every bundled webserver config, closing a hole where files such as certificates, tokens and databases stored under user/data with an unlisted extension could be downloaded directly.
    • [security] A backup deny-all .htaccess now ships inside user/accounts, user/config and user/data so Apache installs stay protected even when the site root .htaccess has been customised or is out of date.
    • [security] The upgrade postflight now patches an existing stock root .htaccess to add the folder block automatically, so installs that updated from an earlier version are protected without editing the file by hand.
    • [security] URL query image transforms (such as image.jpg?resize=) are now turned off by default and, when enabled, refuse oversized dimensions above a configurable pixel limit, closing an unauthenticated denial of service where huge resize values could exhaust server memory.
v2.0.0-rc.8 2 weeks ago
    • Page Authors in a page's Security settings is now picked from a searchable list of the users who can edit pages, instead of typed-in usernames.
    • [security] URL-based image resizing (e.g. image.jpg?resize=2000,2000) is now off by default and, when enabled, capped by a configurable total-pixel limit, so an unauthenticated visitor can no longer exhaust server memory by requesting oversized image transforms (CWE-400). Thanks to @iliaal for the report.
    • [security] With error display off, an uncaught error no longer leaks the file path, line, and exception message to a JSON or AJAX request, which now receives a generic JSON error instead (CWE-209). Thanks to @iliaal for the report.
    • The default theme is now quark2 to match the theme bundled with Grav 2.0, so reverting the theme setting in the Admin panel no longer leaves the site pointing at the missing quark theme. Fixes getgrav/grav#4108.
    • A missing theme no longer takes the Admin panel and API down along with the frontend, so the site stays reachable to fix the theme setting.
    • A Twig template that calls a function or filter which isn't registered in the current context, such as a plugin function referenced in a template while that plugin is inactive in the Admin panel, now renders as empty again instead of failing with an "Unknown function" error. This also restores form notification emails whose data template uses an unregistered filter, which were arriving with the raw {% include %} tag in the body. Calls to real PHP functions still require an explicit safe_functions entry. Fixes getgrav/grav#4110 and getgrav/grav#4115.
    • Twig in page content can again read media by filename under the security sandbox in deeply modular and nested layouts, so an expression like {{ page.media['photo.jpg'].url }} resolves instead of leaking its raw {{ ... }} into the output. Fixes getgrav/grav#4114.
v2.0.0-rc.7 3 weeks ago
    • Upgrading Grav core from the Admin panel no longer fails with "Failed to upgrade Grav core" because the installer misread the incoming release version and then wrongly flagged every installed plugin as incompatible; command line upgrades were unaffected.
v2.0.0 Latest 2 days ago
    • Grav Version 2.0 stable is released - read all about it here: https://getgrav.org/blog/grav-2-stable-released
    • [security] Install packages uploaded through Direct Install are now rejected when their contents exceed safe limits on total uncompressed size, file count, or folder nesting depth, so a crafted archive can no longer fill the disk, exhaust inodes, or crash extraction (GHSA-2vcx-h8p2-9pg9).
v2.0.0-rc.10 4 days ago
    • [security] Image resize in page content (for example ![logo](img.png?resize=...)) now only accepts numeric dimensions, closing a stored CSS injection where a crafted resize value could write extra style declarations, such as a full-page overlay, into the image for a higher-privileged viewer (CWE-79). Media actions in an image URL are now limited to the documented set, so page content can no longer reach other internal methods on a media object, and inline styles are validated again when the image is rendered. Thanks to @DavidCarliez for the report.
    • Twig in page content that puts an output tag inside an if block, such as {% if x %}{{ y }}{% endif %}, no longer fails with an "Unknown endif tag" error when Markdown runs first. Fixes getgrav/grav#4126.
    • Twig in the content of a modular page's modules, such as a {% include %} tag, is now processed the same way it is in a regular page instead of being left as literal text. Fixes getgrav/grav#4142.
    • Hyphenized anchors and slugs now keep accented and other Unicode letters such as ä, ö and ü instead of mangling them, so on-page menu links to modules with those characters point to the right place. Thanks to @Xoriander. getgrav/grav#4143
v2.0.0-rc.9 6 days ago
    • Added a GRAV_ENV_PATH environment variable that loads the .env file(s) from a directory or file path outside the web root, so secrets such as API keys no longer have to live in the publicly served document root.
    • Added an onFlexObjectMedia event so a plugin can rewrite a flex object's media links, letting the original files be served through a controlled route while resized or cropped versions still load straight from the image cache.
    • [security] Inline styles set on an image from page content (for example ![logo](img.png?style=...)) are now limited to safe layout CSS, so an editor can no longer store a full-page overlay or a url() callout that would target an administrator viewing the page (CWE-79). Thanks to @CyberKareem for the report.
    • [security] Direct web access to the user/accounts, user/config, user/data and user/env folders is now blocked in every bundled webserver config, closing a hole where files such as certificates, tokens and databases stored under user/data with an unlisted extension could be downloaded directly.
    • [security] A backup deny-all .htaccess now ships inside user/accounts, user/config and user/data so Apache installs stay protected even when the site root .htaccess has been customised or is out of date.
    • [security] The upgrade postflight now patches an existing stock root .htaccess to add the folder block automatically, so installs that updated from an earlier version are protected without editing the file by hand.
    • The new user/data block now makes an exception for public media uploads, such as Flex Object images, so they keep displaying instead of returning a 403, while data files, databases and keys stay blocked. Fixes getgrav/grav#4129.
    • [security] The Twig filesystem helpers such as read_file and file_exists now reject ../ path traversal and null bytes in their argument, an extra safeguard on top of the sandbox that already keeps these functions out of editor-authored page content.
v1.7.53 6 days ago
    • [security] Direct web access to the user/accounts, user/config, user/data and user/env folders is now blocked outright in every bundled webserver config, closing a hole where files such as certificates, tokens and databases stored under user/data with an unlisted extension could be downloaded directly.
    • [security] A backup deny-all .htaccess now ships inside user/accounts, user/config and user/data so Apache installs stay protected even when the site root .htaccess has been customised or is out of date.
    • [security] The upgrade postflight now patches an existing stock root .htaccess to add the folder block automatically, so installs that updated from an earlier version are protected without editing the file by hand.
    • [security] URL query image transforms (such as image.jpg?resize=) are now turned off by default and, when enabled, refuse oversized dimensions above a configurable pixel limit, closing an unauthenticated denial of service where huge resize values could exhaust server memory.
v2.0.0-rc.8 2 weeks ago
    • Page Authors in a page's Security settings is now picked from a searchable list of the users who can edit pages, instead of typed-in usernames.
    • [security] URL-based image resizing (e.g. image.jpg?resize=2000,2000) is now off by default and, when enabled, capped by a configurable total-pixel limit, so an unauthenticated visitor can no longer exhaust server memory by requesting oversized image transforms (CWE-400). Thanks to @iliaal for the report.
    • [security] With error display off, an uncaught error no longer leaks the file path, line, and exception message to a JSON or AJAX request, which now receives a generic JSON error instead (CWE-209). Thanks to @iliaal for the report.
    • The default theme is now quark2 to match the theme bundled with Grav 2.0, so reverting the theme setting in the Admin panel no longer leaves the site pointing at the missing quark theme. Fixes getgrav/grav#4108.
    • A missing theme no longer takes the Admin panel and API down along with the frontend, so the site stays reachable to fix the theme setting.
    • A Twig template that calls a function or filter which isn't registered in the current context, such as a plugin function referenced in a template while that plugin is inactive in the Admin panel, now renders as empty again instead of failing with an "Unknown function" error. This also restores form notification emails whose data template uses an unregistered filter, which were arriving with the raw {% include %} tag in the body. Calls to real PHP functions still require an explicit safe_functions entry. Fixes getgrav/grav#4110 and getgrav/grav#4115.
    • Twig in page content can again read media by filename under the security sandbox in deeply modular and nested layouts, so an expression like {{ page.media['photo.jpg'].url }} resolves instead of leaking its raw {{ ... }} into the output. Fixes getgrav/grav#4114.
v2.0.0-rc.7 3 weeks ago
    • Upgrading Grav core from the Admin panel no longer fails with "Failed to upgrade Grav core" because the installer misread the incoming release version and then wrongly flagged every installed plugin as incompatible; command line upgrades were unaffected.