Description
Grav CMS before 2.0.0-beta.2 contains multiple code-execution vulnerabilities. Three unsafe unserialize() calls - in Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session - deserialize untrusted data without restricting allowed classes, enabling PHP object injection and, via a gadget chain, arbitrary code execution where an attacker controls the serialized input. Additionally, InstallCommand's git clone operation passes the branch, url, and path parameters into a shell command without escaping, allowing OS command injection via plugin/theme installation (which requires admin access). A Twig security blocklist bypass (server-side template injection) is also present. The issues are fixed in 2.0.0-beta.2.
Severity (CVSS)
| Base score | 9.3 |
|---|---|
| Severity | Critical |
| Version | CVSS 4.0 |
| Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| Provided by | CNA |
Weaknesses
- CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- CWE-502 — Deserialization of Untrusted Data
Affected products
| Vendor | Product | Versions |
|---|---|---|
| Grav | Grav | 0 to <2.0.0-beta.2; 2.0.0-beta.2 |
References
Generated from the official CVE List on 01 Jul 2026 07:05 UTC.