High severityNVD Advisory· Published Mar 21, 2024· Updated Aug 2, 2024
Server-Side Template Injection (SSTI) with Grav CMS security sandbox bypass
CVE-2024-28116
Description
Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox. Version 1.7.45 contains a patch for this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
getgrav/gravPackagist | < 1.7.45 | 1.7.45 |
Affected products
1Patches
14149c8133927fix for safe_functions attack #GHSA-c9gp-64c4-2rrh
2 files changed · +2 −1
CHANGELOG.md+1 −1 modified@@ -7,7 +7,7 @@ * Fixed some multibyte issues in Inflector class [#732](https://github.com/getgrav/grav/issues/732) * Fallback to page modified date if Page date provided is invalid and can't be parsed [getgrav/grav-plugin-admin#2394](https://github.com/getgrav/grav-plugin-admin/issues/2394) * Fixed a path traversal vulnerability with file uploads [#GHSA-m7hx-hw6h-mqmc](https://github.com/getgrav/grav/security/advisories/GHSA-m7hx-hw6h-mqmc) - * Fixed a security issue with insecure Twig functions be processed [#GHSA-2m7x-c7px-hp58](https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58) [#GHSA-r6vw-8v8r-pmp4](https://github.com/getgrav/grav/security/advisories/GHSA-r6vw-8v8r-pmp4) [#GHSA-qfv4-q44r-g7rv](https://github.com/getgrav/grav/security/advisories/GHSA-qfv4-q44r-g7rv) + * Fixed a security issue with insecure Twig functions be processed [#GHSA-2m7x-c7px-hp58](https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58) [#GHSA-r6vw-8v8r-pmp4](https://github.com/getgrav/grav/security/advisories/GHSA-r6vw-8v8r-pmp4) [#GHSA-qfv4-q44r-g7rv](https://github.com/getgrav/grav/security/advisories/GHSA-qfv4-q44r-g7rv) [#GHSA-c9gp-64c4-2rrh](https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh) # v1.7.44 ## 01/05/2024
system/src/Grav/Common/Security.php+1 −0 modified@@ -278,6 +278,7 @@ public static function cleanDangerousTwig(string $string): string 'undefined_functions', 'twig.getFunction', 'core.setEscaper', + 'twig.safe_functions', ]; $string = preg_replace('/(({{\s*|{%\s*)[^}]*?(' . implode('|', $bad_twig) . ')[^}]*?(\s*}}|\s*%}))/i', '{# $1 #}', $string); return $string;
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-c9gp-64c4-2rrhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-28116ghsaADVISORY
- github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6eghsax_refsource_MISCWEB
- github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrhghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.