No advisories yet.
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
Wed, 01 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 01 Jul 2026 09:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Getgrav grav
|
|
| Vendors & Products |
Getgrav grav
|
Tue, 30 Jun 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Grav CMS before 2.0.0-beta.2 contains multiple code-execution vulnerabilities. Three unsafe unserialize() calls - in Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session - deserialize untrusted data without restricting allowed classes, enabling PHP object injection and, via a gadget chain, arbitrary code execution where an attacker controls the serialized input. Additionally, InstallCommand's git clone operation passes the branch, url, and path parameters into a shell command without escaping, allowing OS command injection via plugin/theme installation (which requires admin access). A Twig security blocklist bypass (server-side template injection) is also present. The issues are fixed in 2.0.0-beta.2. | |
| Title | Grav - Multiple Remote Code Execution Vulnerabilities via Unsafe Unserialize and Command Injection | |
| First Time appeared |
Getgrav
Getgrav grav-plugin-admin |
|
| Weaknesses | CWE-502 CWE-78 |
|
| CPEs | cpe:2.3:a:getgrav:grav-plugin-admin:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Getgrav
Getgrav grav-plugin-admin |
|
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-01T14:40:02.529Z
Reserved: 2026-06-22T17:09:16.556Z
Link: CVE-2026-56700
Updated: 2026-07-01T14:39:58.056Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-02T17:45:03Z