Main Vulnerability Database Vulnerabilities #VU130082

OS Command Injection in Grav CMS - #VU130082

Published: May 5, 2026

Vulnerability identifier: #VU130082

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Grav CMS

Affected software:
Grav CMS

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary commands.

The vulnerability exists due to improper neutralization of special elements used in an os command in InstallCommand git clone handling when constructing a git clone command from branch, url, and path values. A remote user can supply specially crafted dependency values to execute arbitrary commands.

The vulnerable functionality is reachable through plugin or theme installation.

Remediation

Install security update from vendor's website.

Sources

https://github.com/getgrav/grav/security/advisories/GHSA-vj3m-2g9h-vm4p
https://github.com/getgrav/grav/commit/c66dfeb5f

OS Command Injection in Grav CMS - #VU130082

Detailed vulnerability description

Remediation

Sources

Please verify you're human