2 matches found
CVE-2026-61450
Grav prior to 2.0.2 contains a Twig sandbox bypass that enables a page author (including any admin.pages user or anyone with write access to user/pages) to exfiltrate configuration secrets. The sandbox replaces the config variable with a redacted facade and strips Config::get/toArray from the all...
CVE-2026-61450 Grav before 2.0.2 Config Exfiltration via offsetGet Filter
Grav before 2.0.2 contains a Twig sandbox bypass that allows a page author any admin.pages user, or anyone able to write to user/pages to exfiltrate configuration secrets. Although the sandbox replaces the 'config' variable with a redacted facade and strips Config::get/toArray from the method...