Main Vulnerability Database Vulnerabilities #VU130081

Deserialization of Untrusted Data in Grav CMS - #VU130081

Published: May 5, 2026

Vulnerability identifier: #VU130081

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-502

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Grav CMS

Affected software:
Grav CMS

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in Session flash object handling when processing session data. A remote attacker can provide crafted serialized session content to execute arbitrary code.

Session storage is typically more restricted than the other deserialization vectors.

Remediation

Install security update from vendor's website.

Sources

https://github.com/getgrav/grav/security/advisories/GHSA-vj3m-2g9h-vm4p
https://github.com/getgrav/grav/commit/c66dfeb5f

Deserialization of Untrusted Data in Grav CMS - #VU130081

Detailed vulnerability description

Remediation

Sources

Please verify you're human