Code Injection in Grav CMS - #VU137079
Published: July 8, 2026
Grav CMS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to unrestricted callable in Blueprint::dynamicData(). A remote administrator can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.