CVE-2026-56700
CriticalCVSS 9.8Exploitation Probability (EPSS)
Elevated risk74th percentile — higher than 74% of all known CVEs
Summary
Grav CMS before version 2.0.0-beta.2 contains multiple code-execution vulnerabilities. Three unsafe unserialize() calls in Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session deserialize untrusted data without class restrictions, enabling PHP object injection and, via a gadget chain, arbitrary code execution. Additionally, InstallCommand's git clone operation does not escape branch, url, and path parameters, allowing OS command injection during plugin/theme installation (requires admin access). A Twig security blocklist bypass (server-side template injection) is also present.
Risk Assessment
An attacker with admin privileges can gain full server control via OS command injection or remote code execution, compromising data confidentiality, integrity, and availability.
Recommendation
Immediately upgrade Grav CMS to version 2.0.0-beta.2 or later. Restrict administrative access to trusted users only.
Original NVD description (English source)
Grav CMS before 2.0.0-beta.2 contains multiple code-execution vulnerabilities. Three unsafe unserialize() calls - in Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session - deserialize untrusted data without restricting allowed classes, enabling PHP object injection and, via a gadget chain, arbitrary code execution where an attacker controls the serialized input. Additionally, InstallCommand's git clone operation passes the branch, url, and path parameters into a shell command without escaping, allowing OS command injection via plugin/theme installation (which requires admin access). A Twig security blocklist bypass (server-side template injection) is also present. The issues are fixed in 2.0.0-beta.2.

