3 matches found
CVE-2026-58655
The bundled Grav Flex Objects plugin getgrav/grav-plugin-flex-objects before 1.4.0 contains a stored server-side template injection vulnerability. When rendering dynamic collection or object titles, the plugin passes user-controlled frontmatter values page.header.flex.collection.title or...
CVE-2026-58655 Grav Flex Objects - Server-Side Template Injection via Dynamic Titles
The bundled Grav Flex Objects plugin getgrav/grav-plugin-flex-objects before 1.4.0 contains a stored server-side template injection vulnerability. When rendering dynamic collection or object titles, the plugin passes user-controlled frontmatter values page.header.flex.collection.title or...
CVE-2026-45697
Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields with Default value → Custom that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site depending ...