CVE Catalog

CVE-2026-56701

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Summary

Grav before version 2.0.0-beta.2 contains an XML external entity injection (XXE) vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexml_load_string without disabling external entity loading, enabling attackers to inject XXE payloads via malicious SVG files.

Risk Assessment

This vulnerability may lead to the exfiltration of sensitive data, posing a serious security risk to the organization. It allows attackers to gain access to confidential information stored on the server.

Recommendation

It is recommended to upgrade to Grav version 2.0.0-beta.2 or later to mitigate this vulnerability. Additionally, external entity loading should be disabled in the application.

Original NVD description (English source)

Grav before 2.0.0-beta.2 contains an XML external entity injection vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexml_load_string without disabling external entity loading, enabling attackers to inject XXE payloads via malicious SVG files to exfiltrate sensitive data.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS