Stored Server-Side Template Injection in Grav Flex Objects Plugin by Getgrav
CVE-2026-58655

8.7HIGH

Key Information:

Vendor

Getgrav

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-58655?

The Grav Flex Objects plugin prior to version 1.4.0 contains a vulnerability that allows an attacker to execute arbitrary Twig code due to improper handling of user-controlled values in dynamic titles. This flaw arises when the plugin passes these values directly to the Twig template engine, bypassing necessary sanitization measures. An attacker exploiting this vulnerability can manipulate the title frontmatter of publicly accessible pages, ultimately leading to the potential execution of remote commands on the server through internal services such as the scheduler.

Affected Version(s)

grav 0 < 1.4.0

grav 1.4.0

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

n00o00b
.