grocy_project CVE Vulnerabilities & Metrics

Focus on grocy_project vulnerabilities and metrics.

Last updated: 10 Sep 2025, 22:25 UTC

About grocy_project Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with grocy_project. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total grocy_project CVEs: 9
Earliest CVE date: 18 Nov 2020, 21:15 UTC
Latest CVE date: 06 Jan 2025, 21:15 UTC

Latest CVE reference: CVE-2024-55076

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 2

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): -66.67%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): -66.67%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical grocy_project CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 0.39

Max CVSS: 3.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	9
4.0-6.9	0
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS grocy_project CVEs

These are the five CVEs with the highest CVSS scores for grocy_project, sorted by severity first and recency.

CVE-2020-25454 grocy_project Published on 18 Nov 2020, 21:15 UTC (CVSS: 3.5)
Cross-site Scripting (XSS) vulnerability in grocy 2.7.1 via the add recipe module, which gets executed when deleting the recipe.
CVE-2024-55076 grocy_project Published on 06 Jan 2025, 21:15 UTC (CVSS: 0)
Grocy through 4.3.0 has no CSRF protection, as demonstrated by changing the Administrator's password.
CVE-2024-55074 grocy_project Published on 06 Jan 2025, 20:15 UTC (CVSS: 0)
The edit profile function of Grocy through 4.3.0 allows stored XSS and resultant privilege escalation by uploading a crafted HTML or SVG file, a different issue than CVE-2024-8370.
CVE-2023-48866 grocy_project Published on 04 Dec 2023, 15:15 UTC (CVSS: 0)
A Cross-Site Scripting (XSS) vulnerability in the recipe preparation component within /api/objects/recipes and note component within /api/objects/shopping_lists/ of Grocy <= 4.0.3 allows attackers to obtain the victim's cookies.
CVE-2023-48200 grocy_project Published on 15 Nov 2023, 23:15 UTC (CVSS: 0)
Cross Site Scripting vulnerability in Grocy v.4.0.3 allows a local attacker to execute arbitrary code and obtain sensitive information via the equipment description component within /equipment/ component.

All CVEs for grocy_project

CVE-2024-55076 grocy_project vulnerability CVSS: 0 06 Jan 2025, 21:15 UTC

Grocy through 4.3.0 has no CSRF protection, as demonstrated by changing the Administrator's password.

CVE-2024-55074 grocy_project vulnerability CVSS: 0 06 Jan 2025, 20:15 UTC

The edit profile function of Grocy through 4.3.0 allows stored XSS and resultant privilege escalation by uploading a crafted HTML or SVG file, a different issue than CVE-2024-8370.

CVE-2023-48866 grocy_project vulnerability CVSS: 0 04 Dec 2023, 15:15 UTC

A Cross-Site Scripting (XSS) vulnerability in the recipe preparation component within /api/objects/recipes and note component within /api/objects/shopping_lists/ of Grocy <= 4.0.3 allows attackers to obtain the victim's cookies.

CVE-2023-48200 grocy_project vulnerability CVSS: 0 15 Nov 2023, 23:15 UTC

Cross Site Scripting vulnerability in Grocy v.4.0.3 allows a local attacker to execute arbitrary code and obtain sensitive information via the equipment description component within /equipment/ component.

CVE-2023-48199 grocy_project vulnerability CVSS: 0 15 Nov 2023, 23:15 UTC

HTML Injection vulnerability in the 'manageApiKeys' component in Grocy <= 4.0.3 allows attackers to inject arbitrary HTML content without script execution. This occurs when user-supplied data is not appropriately sanitized, enabling the injection of HTML tags through parameter values. The attacker can then manipulate page content in the QR code detail popup, often coupled with social engineering tactics, exploiting both the trust of users and the application's lack of proper input handling.

CVE-2023-48198 grocy_project vulnerability CVSS: 0 15 Nov 2023, 23:15 UTC

A Cross-Site Scripting (XSS) vulnerability in the 'product description' component within '/api/stock/products' of Grocy version <= 4.0.3 allows attackers to obtain a victim's cookies.

CVE-2023-48197 grocy_project vulnerability CVSS: 0 15 Nov 2023, 23:15 UTC

Cross-Site Scripting (XSS) vulnerability in the ‘manageApiKeys’ component of Grocy 4.0.3 and earlier allows attackers to obtain victim's cookies when the victim clicks on the "see QR code" function.

CVE-2023-42270 grocy_project vulnerability CVSS: 0 15 Sep 2023, 14:15 UTC

Grocy <= 4.0.2 is vulnerable to Cross Site Request Forgery (CSRF).

CVE-2020-25454 grocy_project vulnerability CVSS: 3.5 18 Nov 2020, 21:15 UTC

Cross-site Scripting (XSS) vulnerability in grocy 2.7.1 via the add recipe module, which gets executed when deleting the recipe.