Grav

A vulnerability in the Grav CMS Twig sandbox allow-list allows any user with the `admin.pages` role to call `config.toArray()` from within a page body, dumping the entire merged site configuration, including all plugin secrets, into the rendered HTML.

A stored XSS vulnerability exists in Grav Core + Admin Plugin versions before 2.0.0-beta.2, where a low-privileged user can inject malicious code via a crafted tag, potentially leading to the exfiltration of admin session context, bypassing CSRF protections, and escalating to remote code execution (RCE).

Grav versions 1.7.44 through 1.7.49.5 are vulnerable to insecure deserialization in the File Cache component, where the `unserialize` function with `allowed_classes => true` can lead to arbitrary code execution if an attacker tampers with cache files.

Grav Form plugin versions before 9.1.0 allow unauthenticated users to overwrite page content by uploading a malicious markdown file, leading to potential privilege escalation by crafting a new super-admin user.

Unauthenticated users can escalate privileges to admin in Grav CMS by manipulating registration data due to missing server-side validation in the Login plugin.