CVE-2026-56701
MediumCVSS 6.5Summary
Grav before version 2.0.0-beta.2 contains an XML external entity injection (XXE) vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexml_load_string without disabling external entity loading, enabling attackers to inject XXE payloads via malicious SVG files.
Risk Assessment
This vulnerability may lead to the exfiltration of sensitive data, posing a serious security risk to the organization. It allows attackers to gain access to confidential information stored on the server.
Recommendation
It is recommended to upgrade to Grav version 2.0.0-beta.2 or later to mitigate this vulnerability. Additionally, external entity loading should be disabled in the application.
Original NVD description (English source)
Grav before 2.0.0-beta.2 contains an XML external entity injection vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexml_load_string without disabling external entity loading, enabling attackers to inject XXE payloads via malicious SVG files to exfiltrate sensitive data.

