CVE-2026-58655
Grav · Grav
The Grav Flex Objects plugin is vulnerable to server-side template injection, allowing authenticated attackers to execute arbitrary code.
Executive summary
A server-side template injection flaw in the Grav Flex Objects plugin allows authenticated attackers to execute arbitrary code on the host system.
Vulnerability
The Grav Flex Objects plugin is susceptible to code injection (CWE-94) via dynamic titles, which permits an authenticated attacker to perform server-side template injection. This allows for the execution of arbitrary code within the application context.
Business impact
Rated at 8.8 on the CVSS scale, this vulnerability represents a severe threat to the integrity and availability of the Grav CMS. Successful exploitation enables an attacker to gain full control over the web server, leading to potential data theft, site defacement, or the deployment of persistent malware.
Remediation
Immediate Action: Update the Grav Flex Objects plugin to version 1.4.0 or later to patch the template injection vulnerability.
Proactive Monitoring: Monitor server logs for unusual system calls or command execution attempts originating from the web application process.
Compensating Controls: Restrict administrative access to trusted personnel only and employ a Web Application Firewall to inspect and sanitize input fields for common template injection payloads.
Exploitation status
Public Exploit Available: false
Analyst recommendation
While this vulnerability requires authentication, the potential for remote code execution makes it a high-priority item. Administrators must update the affected plugin to version 1.4.0 immediately to prevent potential system-level compromise.