Return of Wrong Status Code in Grav CMS - CVE-2023-37897
Published: July 18, 2023 / Updated: May 5, 2026
Grav CMS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to return of wrong status code in isDangerousFunction() when processing Twig |map input containing a double backslash. A remote privileged user can submit a specially crafted Twig payload to execute arbitrary code.
Exploitation requires access to the Admin panel with page create or update permissions and Twig processing enabled for the modified page.