CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

9 matches found

OSV•added 2026/05/13 3:29 p.m.•1 views

GHSA-J274-39QW-32C9 Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()

Summary The Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray from within a page body, dumping the entire merged site configuration — including all plugin secrets SMTP passwords, AWS keys, OAuth client secrets, API tokens — into the rendered HTML. No...

7.7CVSS5.8AI score0.00036EPSS

Exploits1References4

Github Security Blog•added 2026/05/13 3:29 p.m.•3 views

Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()

7.7CVSS5.8AI score0.00036EPSS

Exploits1References4Affected Software1

CVE•added 2026/05/11 3:47 p.m.•8 views

CVE-2026-44738

Technical details are not publicly available in the provided documents. Monitor for updates from authoritative sources for affected software, version, and remediation.

7.7CVSS5.8AI score0.00036EPSS

Exploits1References1Affected Software1

Cvelist•added 2026/05/11 3:47 p.m.•26 views

CVE-2026-44738 Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()

Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray from within a page body, dumping the entire merged site configuration — including all plugin secrets SMTP passwords, AWS keys, OAuth client secrets...

7.7CVSS0.00036EPSS

Exploits1References1