{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/grav-flex-objects-plugin--1.4.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-58655"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Grav Flex Objects plugin \u003c 1.4.0"],"_cs_severities":["high"],"_cs_tags":["template-injection","rce","web-vulnerability","cms","grav","php"],"_cs_type":"advisory","_cs_vendors":["Grav"],"content_html":"\u003cp\u003eA critical stored server-side template injection vulnerability, CVE-2026-58655, affects the bundled Grav Flex Objects plugin (getgrav/grav-plugin-flex-objects) in versions prior to 1.4.0. This flaw allows an attacker to inject and execute arbitrary Twig code by manipulating the \u003ccode\u003epage.header.flex.collection.title\u003c/code\u003e or \u003ccode\u003epage.header.flex.object.title\u003c/code\u003e frontmatter values. The plugin's \u003ccode\u003etemplate_from_string()\u003c/code\u003e function insecurely processes these user-controlled inputs as executable Twig code during dynamic collection or object title rendering, effectively bypassing Grav's \u003ccode\u003eSecurity::cleanDangerousTwig()\u003c/code\u003e sanitization. Successful exploitation grants an unauthenticated attacker remote command execution capabilities on the vulnerable Grav instance, potentially through access to internal Grav services like the scheduler. This could lead to full system compromise and data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a publicly accessible Grav Flex Objects page.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts malicious Twig template code designed to achieve arbitrary command execution, possibly leveraging internal Grav services like the scheduler.\u003c/li\u003e\n\u003cli\u003eThe attacker injects this malicious Twig code into the \u003ccode\u003etitle\u003c/code\u003e frontmatter (e.g., \u003ccode\u003epage.header.flex.collection.title\u003c/code\u003e or \u003ccode\u003epage.header.flex.object.title\u003c/code\u003e) of the target Flex Objects page.\u003c/li\u003e\n\u003cli\u003eThe Grav Flex Objects plugin receives and stores the maliciously crafted frontmatter.\u003c/li\u003e\n\u003cli\u003eWhen the affected page's title is dynamically rendered, the plugin's \u003ccode\u003etemplate_from_string()\u003c/code\u003e function attempts to process the user-controlled frontmatter.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etemplate_from_string()\u003c/code\u003e function evaluates the injected malicious string as Twig code due to the vulnerability, bypassing security sanitization.\u003c/li\u003e\n\u003cli\u003eThe embedded Twig code executes on the server, leading to arbitrary code execution and potential escalation to remote command execution.\u003c/li\u003e\n\u003cli\u003eThe attacker's commands are executed on the host system, enabling full compromise or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-58655 results in remote code execution (RCE) on the compromised Grav instance. An attacker can gain full control over the affected web server, including the ability to install backdoors, steal sensitive data, modify website content, or use the server as a platform for further attacks. This vulnerability poses a severe risk to the integrity and confidentiality of the Grav installation and any data it manages. While specific victim counts are not available, all Grav installations using the Flex Objects plugin prior to version 1.4.0 are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Grav Flex Objects plugin to version 1.4.0 or newer immediately to patch CVE-2026-58655.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect attempts at server-side template injection via suspicious Twig syntax in web requests.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive web server logging, including full URI query strings and POST body parameters, to capture evidence for the detection rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T12:25:11Z","date_published":"2026-07-15T12:25:11Z","id":"https://feed.craftedsignal.io/briefs/2026-07-grav-flex-objects-rce/","summary":"A stored server-side template injection vulnerability, identified as CVE-2026-58655, exists in the Grav Flex Objects plugin before version 1.4.0, allowing an attacker to achieve arbitrary Twig execution and remote command execution by injecting malicious code into user-controlled title frontmatter that bypasses sanitization.","title":"Grav Flex Objects Plugin Stored Template Injection Leading to RCE","url":"https://feed.craftedsignal.io/briefs/2026-07-grav-flex-objects-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Grav Flex Objects Plugin \u003c 1.4.0","version":"https://jsonfeed.org/version/1.1"}