SQL Injection Vulnerability in Grav CMS Database Plugin
CVE-2026-58492

9.2CRITICAL

Key Information:

Vendor

Getgrav

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-58492?

The Grav CMS database plugin is vulnerable due to improper handling of input in the PDO::tableExists method. Specifically, the vulnerability allows attacker-controlled table names to be interpolated directly into raw SQL query strings without adequate sanitization or escaping. This flaw enables malicious entities to execute arbitrary SQL commands against the database, potentially compromising the integrity and confidentiality of the data handled by the application. The issue has been addressed in version 1.2.0, which includes necessary security measures to prevent such exploitation.

Affected Version(s)

grav < 1.2.0

References

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.