Stored Server-Side Template Injection in Grav Flex Objects Plugin by Getgrav
CVE-2026-58655
8.7HIGH
What is CVE-2026-58655?
The Grav Flex Objects plugin prior to version 1.4.0 contains a vulnerability that allows an attacker to execute arbitrary Twig code due to improper handling of user-controlled values in dynamic titles. This flaw arises when the plugin passes these values directly to the Twig template engine, bypassing necessary sanitization measures. An attacker exploiting this vulnerability can manipulate the title frontmatter of publicly accessible pages, ultimately leading to the potential execution of remote commands on the server through internal services such as the scheduler.
Affected Version(s)
grav 0 < 1.4.0
grav 1.4.0
