4 matches found
CVE-2026-61454 Grav before 2.0.4 Information Disclosure via __GRAV_CONFIG__
The Grav Admin2 plugin getgrav/grav-plugin-admin2 before 2.0.4 embeds a global JavaScript variable window.GRAVCONFIG in the Admin2 SPA bootstrap page at /grav/admin and its subroutes. This object is returned in every unauthenticated response and discloses the server URL, API prefix, admin base...
GHSA-R6VW-8V8R-PMP4 Server Side Template Injection (SSTI)
Summary Due to the unrestricted access to twig extension class from grav context, an attacker can redefine config variable. As a result, attacker can bypass previous patch. Details The twig context has a function declared called getFunction. php public function getFunction$name if...
Undefined Behavior in sailsjs-cacheman
All versions of sailsjs-cacheman have a vulnerability that may lead to Undefined Behavior. The config variable is exposing to the global scope which may overwrite other variables and cause the application to misbehave. Recommendation No fix is currently available. Consider using an alternative...
Undefined Behavior
Overview All versions of sailsjs-cacheman have a vulnerability that may lead to Undefined Behavior. The config variable is exposing to the global scope which may overwrite other variables and cause the application to misbehave. Recommendation No fix is currently available. Consider using an...