CVE-2026-56700 PUBLISHED

Grav - Multiple Remote Code Execution Vulnerabilities via Unsafe Unserialize and Command Injection

Assigner: VulnCheck
Reserved: 22.06.2026 Published: 30.06.2026 Updated: 01.07.2026

Grav CMS before 2.0.0-beta.2 contains multiple code-execution vulnerabilities. Three unsafe unserialize() calls - in Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session - deserialize untrusted data without restricting allowed classes, enabling PHP object injection and, via a gadget chain, arbitrary code execution where an attacker controls the serialized input. Additionally, InstallCommand's git clone operation passes the branch, url, and path parameters into a shell command without escaping, allowing OS command injection via plugin/theme installation (which requires admin access). A Twig security blocklist bypass (server-side template injection) is also present. The issues are fixed in 2.0.0-beta.2.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor Grav
Product Grav
Versions Default: unaffected
  • affected from 0 to 2.0.0-beta.2 (excl.)
  • Version 2.0.0-beta.2 is unaffected

Credits

  • Proscan-one reporter

References

Problem Types

  • Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE
  • Deserialization of Untrusted Data CWE