SYS::ONLINE
Wasteland.
Briefs1061
Issues17
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-56700 2026-06-30

CVE-2026-56700: Critical Multiple Code-Execution Flaws in Grav CMS

"Grav CMS versions before 2.0.0-beta.2 contain multiple critical code-execution vulnerabilities that can give a remote attacker arbitrary code execution on affected servers."

Grav CMS versions before 2.0.0-beta.2 contain multiple critical code-execution vulnerabilities that can give a remote attacker arbitrary code execution on affected servers.

What Is It

CVE-2026-56700 bundles several code-execution weaknesses in Grav CMS. Three unsafe unserialize() calls, in Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session, deserialize untrusted data without restricting allowed classes. This enables PHP object injection and, through a gadget chain, arbitrary code execution wherever an attacker controls the serialized input (CWE-502).

The advisory also reports an OS command injection flaw (CWE-78): InstallCommand's git clone operation passes the branch, url, and path parameters into a shell command without escaping, allowing command injection via plugin/theme installation; though this path requires admin access. A Twig security blocklist bypass (server-side template injection) is present as well.

Why It Matters

The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The deserialization path is network-reachable, low-complexity, and requires no privileges or user interaction. Successful exploitation yields full confidentiality, integrity, and availability impact; effectively a complete compromise of the affected CMS host. A secondary CVSS 4.0 score of 9.3 (CRITICAL) is also assigned.

What's Vulnerable

Patch Status

The issues are fixed in Grav 2.0.0-beta.2. Administrators should upgrade to 2.0.0-beta.2 or later to remediate all of the described flaws. No CISA KEV entry accompanies this record, so active exploitation is not confirmed in the supplied source material.

Sources