Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Tue, 30 Jun 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Grav CMS before 2.0.0-beta.2 contains multiple code-execution vulnerabilities. Three unsafe unserialize() calls - in Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session - deserialize untrusted data without restricting allowed classes, enabling PHP object injection and, via a gadget chain, arbitrary code execution where an attacker controls the serialized input. Additionally, InstallCommand's git clone operation passes the branch, url, and path parameters into a shell command without escaping, allowing OS command injection via plugin/theme installation (which requires admin access). A Twig security blocklist bypass (server-side template injection) is also present. The issues are fixed in 2.0.0-beta.2. | |
| Title | Grav - Multiple Remote Code Execution Vulnerabilities via Unsafe Unserialize and Command Injection | |
| First Time appeared |
Getgrav
Getgrav grav-plugin-admin |
|
| Weaknesses | CWE-502 CWE-78 |
|
| CPEs | cpe:2.3:a:getgrav:grav-plugin-admin:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Getgrav
Getgrav grav-plugin-admin |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-06-30T22:08:40.943Z
Reserved: 2026-06-22T17:09:16.556Z
Link: CVE-2026-56700
No data.
No data.
No data.
OpenCVE Enrichment
No data.