Grav CMS versions before 2.0.0-beta.2 contain multiple critical code-execution vulnerabilities that can give a remote attacker arbitrary code execution on affected servers.
What Is It
CVE-2026-56700 bundles several code-execution weaknesses in Grav CMS. Three unsafe unserialize() calls, in Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session, deserialize untrusted data without restricting allowed classes. This enables PHP object injection and, through a gadget chain, arbitrary code execution wherever an attacker controls the serialized input (CWE-502).
The advisory also reports an OS command injection flaw (CWE-78): InstallCommand's git clone operation passes the branch, url, and path parameters into a shell command without escaping, allowing command injection via plugin/theme installation; though this path requires admin access. A Twig security blocklist bypass (server-side template injection) is present as well.
Why It Matters
The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The deserialization path is network-reachable, low-complexity, and requires no privileges or user interaction. Successful exploitation yields full confidentiality, integrity, and availability impact; effectively a complete compromise of the affected CMS host. A secondary CVSS 4.0 score of 9.3 (CRITICAL) is also assigned.
What's Vulnerable
- Vendor/Product: Grav CMS (getgrav)
- Affected: all versions before
2.0.0-beta.2 - Fixed:
2.0.0-beta.2and later (unaffected)
Patch Status
The issues are fixed in Grav 2.0.0-beta.2. Administrators should upgrade to 2.0.0-beta.2 or later to remediate all of the described flaws. No CISA KEV entry accompanies this record, so active exploitation is not confirmed in the supplied source material.