CVE-2026-58492 PUBLISHED

grav-plugin-database: SQL Injection in PDO::tableExists() due to Unsanitized Table Name Interpolation

Assigner: GitHub_M
Reserved: 30.06.2026 Published: 10.07.2026 Updated: 10.07.2026

grav-plugin-database is the database plugin for Grav CMS. Prior to 1.2.0, the PDO::tableExists method interpolates its table argument directly into a raw SQL query string without sanitization, escaping, quoting, or whitelisting, allowing attacker-controlled table names passed by consuming plugin or developer code to execute arbitrary SQL against the configured database. This issue is fixed in version 1.2.0.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
CVSS Score: 9.2

Product Status

Vendor getgrav
Product grav
Versions
  • Version < 1.2.0 is affected

References

Problem Types

  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE