7.7

CVE-2026-44738

Exploit

Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()

Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray() from within a page body, dumping the entire merged site configuration — including all plugin secrets (SMTP passwords, AWS keys, OAuth client secrets, API tokens) — into the rendered HTML. No administrator privileges are required. This vulnerability is fixed in 2.0.0-rc.2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GetgravGrav Version < 2.0.0
GetgravGrav Version2.0.0 Updatebeta1
GetgravGrav Version2.0.0 Updatebeta2
GetgravGrav Version2.0.0 Updatebeta3
GetgravGrav Version2.0.0 Updatebeta4
GetgravGrav Version2.0.0 Updaterc1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.28% 0.191
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 7.7 3.1 4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/getgrav/grav/security/advisories/GHSA-j274-39qw-32c9
Vendor Advisory
Exploit