VYPR
Medium severity6.5GHSA Advisory· Published May 11, 2026· Updated May 12, 2026

CVE-2026-42610

CVE-2026-42610

Description

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the grav['accounts'] service. Attacker can programmatically load administrative user objects and extract sensitive data, including Bcrypt password hashes and the security salt. This vulnerability is fixed in 2.0.0-beta.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
getgrav/gravPackagist
< 2.0.0-beta.22.0.0-beta.2

Affected products

4
  • Getgrav/GravGHSA3 versions
    < 2.0.0-beta.2+ 2 more
    • (no CPE)range: < 2.0.0-beta.2
    • cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*range: <=1.8.0
    • cpe:2.3:a:getgrav:grav:2.0.0:beta1:*:*:*:*:*:*
  • ghsa-coords
    Range: < 2.0.0-beta.2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.