SQL Injection Vulnerability in Grav CMS Database Plugin
CVE-2026-58492
9.2CRITICAL
What is CVE-2026-58492?
The Grav CMS database plugin is vulnerable due to improper handling of input in the PDO::tableExists method. Specifically, the vulnerability allows attacker-controlled table names to be interpolated directly into raw SQL query strings without adequate sanitization or escaping. This flaw enables malicious entities to execute arbitrary SQL commands against the database, potentially compromising the integrity and confidentiality of the data handled by the application. The issue has been addressed in version 1.2.0, which includes necessary security measures to prevent such exploitation.
Affected Version(s)
grav < 1.2.0
