Product
A stored server-side template injection vulnerability, identified as CVE-2026-58655, exists in the Grav Flex Objects plugin before version 1.4.0, allowing an attacker to achieve arbitrary Twig execution and remote command execution by injecting malicious code into user-controlled title frontmatter that bypasses sanitization.