Path Traversal and Injection Vulnerability in Grav CMS Database Plugin
CVE-2026-58493

5.1MEDIUM

Key Information:

Vendor

Getgrav

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-58493?

The Grav CMS database plugin prior to version 1.2.0 allows an attacker with administrative access to exploit unvalidated user inputs when constructing PDO DSN strings. By manipulating configuration values such as host or database name, an attacker can inject malicious DSN attributes or execute path traversal attacks. This critical issue, which compromises the integrity of database connections, has been addressed in the recently released version 1.2.0, ensuring better input validation and security.

Affected Version(s)

grav < 1.2.0

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.