CVE-2026-58655

Grav · Grav

The Grav Flex Objects plugin is vulnerable to server-side template injection, allowing authenticated attackers to execute arbitrary code.

Executive summary

A server-side template injection flaw in the Grav Flex Objects plugin allows authenticated attackers to execute arbitrary code on the host system.

Vulnerability

The Grav Flex Objects plugin is susceptible to code injection (CWE-94) via dynamic titles, which permits an authenticated attacker to perform server-side template injection. This allows for the execution of arbitrary code within the application context.

Business impact

Rated at 8.8 on the CVSS scale, this vulnerability represents a severe threat to the integrity and availability of the Grav CMS. Successful exploitation enables an attacker to gain full control over the web server, leading to potential data theft, site defacement, or the deployment of persistent malware.

Remediation

Immediate Action: Update the Grav Flex Objects plugin to version 1.4.0 or later to patch the template injection vulnerability.

Proactive Monitoring: Monitor server logs for unusual system calls or command execution attempts originating from the web application process.

Compensating Controls: Restrict administrative access to trusted personnel only and employ a Web Application Firewall to inspect and sanitize input fields for common template injection payloads.

Exploitation status

Public Exploit Available: false

Analyst recommendation

While this vulnerability requires authentication, the potential for remote code execution makes it a high-priority item. Administrators must update the affected plugin to version 1.4.0 immediately to prevent potential system-level compromise.