Return of Wrong Status Code in Grav CMS - CVE-2023-37897
Published: July 18, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU130047
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-37897
CWE-ID: CWE-393
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Grav CMS
Grav CMS
Software vendor:
Grav CMS
Grav CMS
Description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to return of wrong status code in isDangerousFunction() when processing Twig |map input containing a double backslash. A remote privileged user can submit a specially crafted Twig payload to execute arbitrary code.
Exploitation requires access to the Admin panel with page create or update permissions and Twig processing enabled for the modified page.
Remediation
Install security update from vendor's website.