Downloads
Everything Grav
Download Grav
Grav Core is the base package with core functionality and a few essential starting pages. Grav Core + Admin also includes the Administration Panel plugin. Both are easy to get started with — check out our Basic Tutorial and Guide to the Administration Panel.
Latest stable release
Production-ready. The version we recommend for every new site and every upgrade of an existing one.
Get Started
1
Quick installation
- Download either the Grav Core or Grav Core + Admin2 plugin installation package.
- Extract the zip file into your webroot.
- Point your browser at your local webserver:
http://yoursite.com
2
How to install the Admin2 plugin
If you have not already installed the admin plugin, you can do so easily with GPM:
$
This will install the admin plugin plus its dependencies (api & login). After this is complete, point your browser to your Grav installation and you will be prompted to create a new admin user.
Changelog
v2.0.7
Latest
1 day ago
-
- [security] A page editor can no longer run commands on the server by hiding a callable directive in a form field's settings; dynamic field data now refuses dangerous functions and cannot be tricked into reaching one through a helper (GHSA-fj2p-qj2f-74v5).
- A page's
translatedLanguages()now localizes ancestor slugs too, so a nested translation whose parent folder has a localizedslug:produces the fully translated cross-language link instead of leaving parent segments in the current language. Fixes getgrav/grav#4186. - Pointing the log stream at
environment://(for examplelog: environment://logs) no longer crashes the site orbin/grav clearwith a "stream must either be a resource or a string" error when the per-environment folder does not exist; logging now falls back to the defaultlogs/folder instead. Fixes getgrav/grav#4172. - The
media://stream now checks the per-environmentuser/env/<host>/media/folder before the shareduser/media/, so site media stored per environment resolves to the correct URL in the admin and in page content instead of a brokenuser/media/link. Fixes getgrav/grav#4188. - Large file downloads such as site backups are now streamed to the browser in chunks instead of being loaded into memory all at once, so a download bigger than PHP's memory limit no longer fails with a blank server error. Fixes getgrav/grav-plugin-api#12.
- Backups initialization no longer runs twice when something that bypasses the normal request middleware (such as the API plugin) also attaches the backup scheduler listener, so the listener is registered only once.
- Pages accessed with URL parameters such as pagination or taxonomy filters no longer recompile every Twig template on each request, restoring full template caching on exactly the pages that get the most traffic.
- The per-file compiled cache for YAML and markdown files now loads through its intended opcache fast path, and a source file that has been deleted no longer serves stale cached data.
- A modular page that outputs trusted theme or plugin markup, such as a form with a reCAPTCHA field, is no longer wrongly blanked by the content security scan, which now checks the editor's own content instead of the finished template output. Fixes getgrav/grav-plugin-form#636.
- Chaining media actions on page media under the content security scan, such as
{{ page.media['x.jpg'].lightbox(1024,768).cropResize(176,176).html() }}, now works instead of being blocked, and the scan's list of allowed media methods stays in step with Grav's documented media actions automatically.
-
- Updating a plugin or theme whose required dependency is held back by a newer Grav or PHP requirement now explains the real fix. Instead of reporting that the needed version is "higher than the latest release" and suggesting a cache refresh, the updater names the newer dependency release and the Grav (or PHP) version it needs, so you know to update Grav first. Relates to getgrav/grav-plugin-admin2#93.
- Backup profiles now always appear in the scheduler where each can be switched on or off with the Enabled/Disabled toggle, instead of a profile staying hidden until its schedule was turned on; the profile's schedule setting seeds the default state and an explicit toggle takes precedence.
- Frontend requests are noticeably faster across the board: the scheduler, backups machinery, error page renderer and logger now initialize only when actually used instead of on every page view, cutting over 50 PHP files from a typical request.
- The filesystem scan that checks pages for changes now reuses its result for a couple of seconds (configurable with
cache.check.interval), so busy sites no longer stat every page file on every single request; content edits still show up right away in normal editing workflows and admin saves remain instant. - Configuration, blueprint and language file lists honor the same freshness window instead of checking every tracked file's timestamp three times per request, and theme blueprints no longer load at all on normal frontend page views.
- Class autoloading is faster: source installs get an optimized class map, APCu is suggested so the existing autoloader cache setting can engage, and plugin autoloaders no longer sit in front of the core one where every core class lookup had to pass through them first.
- Rendering a page with cached content no longer loads its whole media collection up front, the pages index no longer stores pre-computed metadata for every page, and relative markdown links resolve their target page directly instead of building the full page list per link.
- Assorted hot-path trims: string helpers use fast native functions for the common case, asset rendering skips per-asset integrity work when the feature is off, the site root URL is computed once per request instead of per asset, and debugger timers cost nothing when the debugger is disabled.
- New experimental opt-in page index (
pages.lazy_index: true): pages, routes, children lists, sort orders and the taxonomy map load on demand from a per-page index instead of one large cache blob that has to be fully unserialized on every request, making per-request cost flat as sites grow: a 2,000 page test site renders as fast as a 2 page one and uses a quarter of the memory; SQLite powers the index when available with a pure PHP fallback, and the default behavior is completely unchanged until the flag is enabled. - Page collection filters (
visible,routable,published, module) now use menu flags recorded in the page index, so building a navigation menu that filters a folder to its visible pages no longer loads every hidden sibling first. On a 500 post blog under the Quark theme this cut the pages built for a page view from all 507 to 7 and roughly halved memory; it helps every site, most of all large ones with the experimental page index enabled. - Sorting a page collection by date, title, or another common field now reads that value from the page index instead of loading every page in the collection just to read one field, and on single language sites the automatic translated filter that every collection applies no longer loads any pages at all. With the experimental page index enabled, a blog post showing a related posts grid dropped from loading every post on the site to only the handful it displays.
- The setting that scans page content for XSS moved to
security.content.xss_scan_output, since it applies to all page content rather than only Twig in content; the previoussecurity.twig_content.xss_scan_outputlocation keeps working and is moved to the new one automatically on upgrade.
v2.0.6 5 days ago
-
- [security] Flex user avatars stored under
user/accounts/<username>/(folder storage) are now served too; the 2.0.5 avatar carve-out only covered the flatfileuser/accounts/avatars/layout, so folder-storage avatars kept returning a 403. Existing sites self-heal on upgrade. Fixes getgrav/grav#4185.
- [security] Flex user avatars stored under
v2.0.5 5 days ago
-
- A page's
translatedLanguages()now returns each language's own route, so a translation with a localizedslug:produces the correct cross-language link instead of repeating the default language's URL. Fixes getgrav/grav#4183. - [security] Profile avatars display again instead of returning a 403; the folder hardening that locked down
user/accountsnow makes a narrow exception for avatar images while account data such as password hashes stays blocked, and existing sites self-heal on upgrade. Fixes getgrav/grav#4185. - Loading a page no longer fails with a "Failed to write cache file" error when Grav can't save the compiled template cache, such as on a shared folder, a full disk, or during a save-then-reload race; the page still renders and the problem is logged instead. Fixes getgrav/grav#4184.
- A page's
v2.0.4 6 days ago
-
- Plugins can now register trusted iframe hosts so legitimate provider embeds (such as YouTube) are no longer blanked by the content XSS scan on hardened sites.
- Added an
onXssTrustedMarkupevent that lets a plugin exempt its own rendered markup from the content XSS scan without weakening it for editor-authored content.
-
- [security] Grav's
.htaccessrules blocking sensitive folders and files are now matched case-insensitively, closing a bypass where, on case-insensitive filesystems (Windows, macOS, some Docker mounts), a differently-cased request could reach files such as account and config YAML; existing sites are healed on upgrade (GHSA-vwg3-w8w3-pc79). - [security] The
user/datafolder now ships a media-aware allowlist that serves uploaded assets such as images, fonts, CSS and JS while keeping data files like YAML and JSON blocked, and upgrading widens an over-narrow allowlist from earlier security updates in place so legitimate theme assets stop returning 403. Fixes getgrav/grav#4169. - [security] The Twig
regex_replacefilter now returns its input unchanged instead of null when a pattern hits a PCRE error such as a backtrack-limit, so a catastrophic pattern can no longer break output (GHSA-37f3-6p89-6qr9). bin/gpm self-upgradeno longer fails on shared-folder setups such as a VirtualBox shared folder, where thebindirectory holding the running script could not be deleted, by overwriting the upgrade files in place instead. Fixes getgrav/grav#4171.- Debug messages logged during API requests now reach the Admin2 API debug panel and Clockwork even when the debugger is set to PHP DebugBar, which can only display on normal pages. Fixes getgrav/grav-plugin-admin2#76.
- Resizing an image larger than its original size with
?resize=no longer pads it onto an oversized canvas with a white border, returning the image at its natural size instead unless?forceresizeis used. Fixes getgrav/grav#4173. - Turning off the Twig sandbox no longer breaks pages or modules that contain a form, which previously failed with a "SandboxExtension extension is not enabled" error. Fixes getgrav/grav#4175.
- A blueprint validation error now names the value it rejected, so a message like "Invalid input in Process" explains what actually caused it instead of leaving you guessing. Relates to getgrav/grav#4178.
- Adding a blocked item to the Twig sandbox allowlist from the Tools report now clears that block from the recent-blocks list, so a resolved entry no longer lingers as if nothing happened. Fixes getgrav/grav-plugin-admin2#85.
- [security] Grav's
v2.0.3 1 week ago
-
- Added an optional
system.session.read_and_closesetting that releases the session as soon as it has been read, so a site's simultaneous requests no longer queue up one behind another waiting on the session; off by default.
- Added an optional
-
- A
bin/gpm self-upgradethat stops while replacing core files now names the exact file or folder it could not remove and the reason why, and points out when the file is owned by a different user than the one running the command, which is the usual cause of an upgrade that works from the admin but fails on the command line. Fixes getgrav/grav#4162.
- A
v2.0.2 2 weeks ago
-
- [security] ZIP extraction in both Direct Install and the internal archiver now enforces the uncompressed-size limit against the bytes actually written, rather than the size each entry claims, so an archive that understates its real size can no longer slip a decompression bomb past the limit (GHSA-8h9x-89f2-m7x3).
- [security] Editor-authored Twig in page content can no longer read configuration secrets by dumping the config object through a filter such as
print_rorjson_encode, closing a sandbox bypass that exposed plugin credentials and API keys (GHSA-mc5q-6hpj-rp7j). - A failed
bin/gpm self-upgradenow reports the specific reason it stopped and records the full details inlogs/grav.log, instead of showing a generic "Unknown error" with nothing to act on. Fixes getgrav/grav#4158. - A page that displays inline SVG or MathML icons, such as the svg-icon shortcode or GitHub-style alert callouts, no longer renders blank when page-content Twig processing is enabled, because the render-time security scan now skips that legitimate icon markup while still catching injected scripts around it.
v2.0.7
Latest
1 day ago
-
- [security] A page editor can no longer run commands on the server by hiding a callable directive in a form field's settings; dynamic field data now refuses dangerous functions and cannot be tricked into reaching one through a helper (GHSA-fj2p-qj2f-74v5).
- A page's
translatedLanguages()now localizes ancestor slugs too, so a nested translation whose parent folder has a localizedslug:produces the fully translated cross-language link instead of leaving parent segments in the current language. Fixes getgrav/grav#4186. - Pointing the log stream at
environment://(for examplelog: environment://logs) no longer crashes the site orbin/grav clearwith a "stream must either be a resource or a string" error when the per-environment folder does not exist; logging now falls back to the defaultlogs/folder instead. Fixes getgrav/grav#4172. - The
media://stream now checks the per-environmentuser/env/<host>/media/folder before the shareduser/media/, so site media stored per environment resolves to the correct URL in the admin and in page content instead of a brokenuser/media/link. Fixes getgrav/grav#4188. - Large file downloads such as site backups are now streamed to the browser in chunks instead of being loaded into memory all at once, so a download bigger than PHP's memory limit no longer fails with a blank server error. Fixes getgrav/grav-plugin-api#12.
- Backups initialization no longer runs twice when something that bypasses the normal request middleware (such as the API plugin) also attaches the backup scheduler listener, so the listener is registered only once.
- Pages accessed with URL parameters such as pagination or taxonomy filters no longer recompile every Twig template on each request, restoring full template caching on exactly the pages that get the most traffic.
- The per-file compiled cache for YAML and markdown files now loads through its intended opcache fast path, and a source file that has been deleted no longer serves stale cached data.
- A modular page that outputs trusted theme or plugin markup, such as a form with a reCAPTCHA field, is no longer wrongly blanked by the content security scan, which now checks the editor's own content instead of the finished template output. Fixes getgrav/grav-plugin-form#636.
- Chaining media actions on page media under the content security scan, such as
{{ page.media['x.jpg'].lightbox(1024,768).cropResize(176,176).html() }}, now works instead of being blocked, and the scan's list of allowed media methods stays in step with Grav's documented media actions automatically.
-
- Updating a plugin or theme whose required dependency is held back by a newer Grav or PHP requirement now explains the real fix. Instead of reporting that the needed version is "higher than the latest release" and suggesting a cache refresh, the updater names the newer dependency release and the Grav (or PHP) version it needs, so you know to update Grav first. Relates to getgrav/grav-plugin-admin2#93.
- Backup profiles now always appear in the scheduler where each can be switched on or off with the Enabled/Disabled toggle, instead of a profile staying hidden until its schedule was turned on; the profile's schedule setting seeds the default state and an explicit toggle takes precedence.
- Frontend requests are noticeably faster across the board: the scheduler, backups machinery, error page renderer and logger now initialize only when actually used instead of on every page view, cutting over 50 PHP files from a typical request.
- The filesystem scan that checks pages for changes now reuses its result for a couple of seconds (configurable with
cache.check.interval), so busy sites no longer stat every page file on every single request; content edits still show up right away in normal editing workflows and admin saves remain instant. - Configuration, blueprint and language file lists honor the same freshness window instead of checking every tracked file's timestamp three times per request, and theme blueprints no longer load at all on normal frontend page views.
- Class autoloading is faster: source installs get an optimized class map, APCu is suggested so the existing autoloader cache setting can engage, and plugin autoloaders no longer sit in front of the core one where every core class lookup had to pass through them first.
- Rendering a page with cached content no longer loads its whole media collection up front, the pages index no longer stores pre-computed metadata for every page, and relative markdown links resolve their target page directly instead of building the full page list per link.
- Assorted hot-path trims: string helpers use fast native functions for the common case, asset rendering skips per-asset integrity work when the feature is off, the site root URL is computed once per request instead of per asset, and debugger timers cost nothing when the debugger is disabled.
- New experimental opt-in page index (
pages.lazy_index: true): pages, routes, children lists, sort orders and the taxonomy map load on demand from a per-page index instead of one large cache blob that has to be fully unserialized on every request, making per-request cost flat as sites grow: a 2,000 page test site renders as fast as a 2 page one and uses a quarter of the memory; SQLite powers the index when available with a pure PHP fallback, and the default behavior is completely unchanged until the flag is enabled. - Page collection filters (
visible,routable,published, module) now use menu flags recorded in the page index, so building a navigation menu that filters a folder to its visible pages no longer loads every hidden sibling first. On a 500 post blog under the Quark theme this cut the pages built for a page view from all 507 to 7 and roughly halved memory; it helps every site, most of all large ones with the experimental page index enabled. - Sorting a page collection by date, title, or another common field now reads that value from the page index instead of loading every page in the collection just to read one field, and on single language sites the automatic translated filter that every collection applies no longer loads any pages at all. With the experimental page index enabled, a blog post showing a related posts grid dropped from loading every post on the site to only the handful it displays.
- The setting that scans page content for XSS moved to
security.content.xss_scan_output, since it applies to all page content rather than only Twig in content; the previoussecurity.twig_content.xss_scan_outputlocation keeps working and is moved to the new one automatically on upgrade.
v2.0.6 5 days ago
-
- [security] Flex user avatars stored under
user/accounts/<username>/(folder storage) are now served too; the 2.0.5 avatar carve-out only covered the flatfileuser/accounts/avatars/layout, so folder-storage avatars kept returning a 403. Existing sites self-heal on upgrade. Fixes getgrav/grav#4185.
- [security] Flex user avatars stored under
v2.0.5 5 days ago
-
- A page's
translatedLanguages()now returns each language's own route, so a translation with a localizedslug:produces the correct cross-language link instead of repeating the default language's URL. Fixes getgrav/grav#4183. - [security] Profile avatars display again instead of returning a 403; the folder hardening that locked down
user/accountsnow makes a narrow exception for avatar images while account data such as password hashes stays blocked, and existing sites self-heal on upgrade. Fixes getgrav/grav#4185. - Loading a page no longer fails with a "Failed to write cache file" error when Grav can't save the compiled template cache, such as on a shared folder, a full disk, or during a save-then-reload race; the page still renders and the problem is logged instead. Fixes getgrav/grav#4184.
- A page's
v2.0.4 6 days ago
-
- Plugins can now register trusted iframe hosts so legitimate provider embeds (such as YouTube) are no longer blanked by the content XSS scan on hardened sites.
- Added an
onXssTrustedMarkupevent that lets a plugin exempt its own rendered markup from the content XSS scan without weakening it for editor-authored content.
-
- [security] Grav's
.htaccessrules blocking sensitive folders and files are now matched case-insensitively, closing a bypass where, on case-insensitive filesystems (Windows, macOS, some Docker mounts), a differently-cased request could reach files such as account and config YAML; existing sites are healed on upgrade (GHSA-vwg3-w8w3-pc79). - [security] The
user/datafolder now ships a media-aware allowlist that serves uploaded assets such as images, fonts, CSS and JS while keeping data files like YAML and JSON blocked, and upgrading widens an over-narrow allowlist from earlier security updates in place so legitimate theme assets stop returning 403. Fixes getgrav/grav#4169. - [security] The Twig
regex_replacefilter now returns its input unchanged instead of null when a pattern hits a PCRE error such as a backtrack-limit, so a catastrophic pattern can no longer break output (GHSA-37f3-6p89-6qr9). bin/gpm self-upgradeno longer fails on shared-folder setups such as a VirtualBox shared folder, where thebindirectory holding the running script could not be deleted, by overwriting the upgrade files in place instead. Fixes getgrav/grav#4171.- Debug messages logged during API requests now reach the Admin2 API debug panel and Clockwork even when the debugger is set to PHP DebugBar, which can only display on normal pages. Fixes getgrav/grav-plugin-admin2#76.
- Resizing an image larger than its original size with
?resize=no longer pads it onto an oversized canvas with a white border, returning the image at its natural size instead unless?forceresizeis used. Fixes getgrav/grav#4173. - Turning off the Twig sandbox no longer breaks pages or modules that contain a form, which previously failed with a "SandboxExtension extension is not enabled" error. Fixes getgrav/grav#4175.
- A blueprint validation error now names the value it rejected, so a message like "Invalid input in Process" explains what actually caused it instead of leaving you guessing. Relates to getgrav/grav#4178.
- Adding a blocked item to the Twig sandbox allowlist from the Tools report now clears that block from the recent-blocks list, so a resolved entry no longer lingers as if nothing happened. Fixes getgrav/grav-plugin-admin2#85.
- [security] Grav's
v2.0.3 1 week ago
-
- Added an optional
system.session.read_and_closesetting that releases the session as soon as it has been read, so a site's simultaneous requests no longer queue up one behind another waiting on the session; off by default.
- Added an optional
-
- A
bin/gpm self-upgradethat stops while replacing core files now names the exact file or folder it could not remove and the reason why, and points out when the file is owned by a different user than the one running the command, which is the usual cause of an upgrade that works from the admin but fails on the command line. Fixes getgrav/grav#4162.
- A
v2.0.2 2 weeks ago
-
- [security] ZIP extraction in both Direct Install and the internal archiver now enforces the uncompressed-size limit against the bytes actually written, rather than the size each entry claims, so an archive that understates its real size can no longer slip a decompression bomb past the limit (GHSA-8h9x-89f2-m7x3).
- [security] Editor-authored Twig in page content can no longer read configuration secrets by dumping the config object through a filter such as
print_rorjson_encode, closing a sandbox bypass that exposed plugin credentials and API keys (GHSA-mc5q-6hpj-rp7j). - A failed
bin/gpm self-upgradenow reports the specific reason it stopped and records the full details inlogs/grav.log, instead of showing a generic "Unknown error" with nothing to act on. Fixes getgrav/grav#4158. - A page that displays inline SVG or MathML icons, such as the svg-icon shortcode or GitHub-style alert callouts, no longer renders blank when page-content Twig processing is enabled, because the render-time security scan now skips that legitimate icon markup while still catching injected scripts around it.