CVE Catalog

CVE-2026-56700

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
1.68%

74th percentile — higher than 74% of all known CVEs

Summary

Grav CMS before version 2.0.0-beta.2 contains multiple code-execution vulnerabilities. Three unsafe unserialize() calls in Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session deserialize untrusted data without class restrictions, enabling PHP object injection and, via a gadget chain, arbitrary code execution. Additionally, InstallCommand's git clone operation does not escape branch, url, and path parameters, allowing OS command injection during plugin/theme installation (requires admin access). A Twig security blocklist bypass (server-side template injection) is also present.

Risk Assessment

An attacker with admin privileges can gain full server control via OS command injection or remote code execution, compromising data confidentiality, integrity, and availability.

Recommendation

Immediately upgrade Grav CMS to version 2.0.0-beta.2 or later. Restrict administrative access to trusted users only.

Original NVD description (English source)

Grav CMS before 2.0.0-beta.2 contains multiple code-execution vulnerabilities. Three unsafe unserialize() calls - in Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session - deserialize untrusted data without restricting allowed classes, enabling PHP object injection and, via a gadget chain, arbitrary code execution where an attacker controls the serialized input. Additionally, InstallCommand's git clone operation passes the branch, url, and path parameters into a shell command without escaping, allowing OS command injection via plugin/theme installation (which requires admin access). A Twig security blocklist bypass (server-side template injection) is also present. The issues are fixed in 2.0.0-beta.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS