Path Traversal and Injection Vulnerability in Grav CMS Database Plugin
CVE-2026-58493
5.1MEDIUM
What is CVE-2026-58493?
The Grav CMS database plugin prior to version 1.2.0 allows an attacker with administrative access to exploit unvalidated user inputs when constructing PDO DSN strings. By manipulating configuration values such as host or database name, an attacker can inject malicious DSN attributes or execute path traversal attacks. This critical issue, which compromises the integrity of database connections, has been addressed in the recently released version 1.2.0, ensuring better input validation and security.
Affected Version(s)
grav < 1.2.0
