ID:12809 - Exploit for Code Injection in Grav CMS
Published: July 8, 2026
Grav CMS
Link to public exploit:
Vulnerability description
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to unrestricted callable in Blueprint::dynamicData(). A remote administrator can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.