<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Grav Flex Objects Plugin &lt; 1.4.0 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/grav-flex-objects-plugin--1.4.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 12:25:11 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/grav-flex-objects-plugin--1.4.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>Grav Flex Objects Plugin Stored Template Injection Leading to RCE</title><link>https://feed.craftedsignal.io/briefs/2026-07-grav-flex-objects-rce/</link><pubDate>Wed, 15 Jul 2026 12:25:11 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-grav-flex-objects-rce/</guid><description>A stored server-side template injection vulnerability, identified as CVE-2026-58655, exists in the Grav Flex Objects plugin before version 1.4.0, allowing an attacker to achieve arbitrary Twig execution and remote command execution by injecting malicious code into user-controlled title frontmatter that bypasses sanitization.</description><content:encoded><![CDATA[<p>A critical stored server-side template injection vulnerability, CVE-2026-58655, affects the bundled Grav Flex Objects plugin (getgrav/grav-plugin-flex-objects) in versions prior to 1.4.0. This flaw allows an attacker to inject and execute arbitrary Twig code by manipulating the <code>page.header.flex.collection.title</code> or <code>page.header.flex.object.title</code> frontmatter values. The plugin's <code>template_from_string()</code> function insecurely processes these user-controlled inputs as executable Twig code during dynamic collection or object title rendering, effectively bypassing Grav's <code>Security::cleanDangerousTwig()</code> sanitization. Successful exploitation grants an unauthenticated attacker remote command execution capabilities on the vulnerable Grav instance, potentially through access to internal Grav services like the scheduler. This could lead to full system compromise and data exfiltration.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a publicly accessible Grav Flex Objects page.</li>
<li>The attacker crafts malicious Twig template code designed to achieve arbitrary command execution, possibly leveraging internal Grav services like the scheduler.</li>
<li>The attacker injects this malicious Twig code into the <code>title</code> frontmatter (e.g., <code>page.header.flex.collection.title</code> or <code>page.header.flex.object.title</code>) of the target Flex Objects page.</li>
<li>The Grav Flex Objects plugin receives and stores the maliciously crafted frontmatter.</li>
<li>When the affected page's title is dynamically rendered, the plugin's <code>template_from_string()</code> function attempts to process the user-controlled frontmatter.</li>
<li>The <code>template_from_string()</code> function evaluates the injected malicious string as Twig code due to the vulnerability, bypassing security sanitization.</li>
<li>The embedded Twig code executes on the server, leading to arbitrary code execution and potential escalation to remote command execution.</li>
<li>The attacker's commands are executed on the host system, enabling full compromise or data exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-58655 results in remote code execution (RCE) on the compromised Grav instance. An attacker can gain full control over the affected web server, including the ability to install backdoors, steal sensitive data, modify website content, or use the server as a platform for further attacks. This vulnerability poses a severe risk to the integrity and confidentiality of the Grav installation and any data it manages. While specific victim counts are not available, all Grav installations using the Flex Objects plugin prior to version 1.4.0 are at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the Grav Flex Objects plugin to version 1.4.0 or newer immediately to patch CVE-2026-58655.</li>
<li>Deploy the provided Sigma rule to your SIEM to detect attempts at server-side template injection via suspicious Twig syntax in web requests.</li>
<li>Enable comprehensive web server logging, including full URI query strings and POST body parameters, to capture evidence for the detection rule.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>template-injection</category><category>rce</category><category>web-vulnerability</category><category>cms</category><category>grav</category><category>php</category></item></channel></rss>