Server-Side Template Injection (SSTI)

getgrav/grav is vulnerable to Server-Side Template Injection SSTI. The vulnerability is due to weak regex validation in the cleanDangerousTwig method, which allows an attacker to execute arbitrary commands on the server...

Grav server-side template injection vulnerability (CNVD-2025-30352)

Grav is an extensible CMS Content Management System for personal blogs, small content publishing platforms and one-page product presentations. Grav suffers from a server-side template injection vulnerability that stems from insufficient regular expression validation of the cleanDangerousTwig...

Arbitrary Code Injection

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Arbitrary Code Injection via insufficient validation in the cleanDangerousTwig function. An attacker can execute arbitrary commands on the...

CVE-2025-66294

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection SSTI vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by...