{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/grav/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["grav (\u003c 2.0.0-beta.2)"],"_cs_severities":["high"],"_cs_tags":["insecure-deserialization","code-execution","grav","web-application"],"_cs_type":"advisory","_cs_vendors":["getgrav"],"content_html":"\u003cp\u003eGrav, a flat-file CMS, versions 1.7.44 through 1.7.49.5 are susceptible to an insecure deserialization vulnerability within the \u003ccode\u003eFileCache\u003c/code\u003e component. Specifically, the \u003ccode\u003eunserialize()\u003c/code\u003e function in \u003ccode\u003esystem/src/Grav/Framework/Cache/Adapter/FileCache.php\u003c/code\u003e utilizes the \u003ccode\u003eallowed_classes =\u0026gt; true\u003c/code\u003e option, which permits the instantiation of arbitrary classes without any restrictions. This vulnerability can be exploited if an attacker gains the ability to tamper with or poison the cache files used by Grav. By injecting malicious serialized objects into these cache files, an attacker can trigger the execution of arbitrary code when the application attempts to deserialize the tampered cache data. This issue was reported on May 5th, 2026. A fix has been implemented in Grav core on the 2.0 branch (commit \u003ccode\u003ec66dfeb5f\u003c/code\u003e), set to be included in version 2.0.0-beta.2. This fix introduces HMAC signing and verification to ensure the integrity of cache payloads.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to the Grav server\u0026rsquo;s filesystem with write privileges to the cache directory.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious PHP object that, when unserialized, will execute arbitrary code. This payload could leverage existing classes or magic methods like \u003ccode\u003e__wakeup()\u003c/code\u003e to achieve code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker serializes the malicious PHP object using the \u003ccode\u003eserialize()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites an existing cache file or creates a new one containing the serialized payload in the Grav cache directory (location varies based on configuration, but default is often in \u003ccode\u003ecache/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe Grav application attempts to read the tampered cache file using the \u003ccode\u003eFileCache::doGet()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunserialize($value, ['allowed_classes' =\u0026gt; true])\u003c/code\u003e function is called on the tampered cache data.\u003c/li\u003e\n\u003cli\u003eThe malicious PHP object is deserialized, triggering the execution of the attacker\u0026rsquo;s code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the Grav server, potentially leading to full system compromise, data exfiltration, or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to execute arbitrary code on the Grav server. This can lead to complete system compromise, data exfiltration, defacement of websites, or the installation of backdoors for persistent access. Given that Grav is a CMS, this can impact any website or application built on the platform. The number of potential victims is dependent on the number of Grav installations running the vulnerable versions (1.7.44 - 1.7.49.5) and the attacker\u0026rsquo;s ability to access and modify the cache files.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Grav version 2.0.0-beta.2 or later, where the vulnerability is addressed with HMAC signing of cache payloads, as detailed in commit \u003ccode\u003ec66dfeb5f\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor file system access, particularly writes to the cache directory, for suspicious activity. Consider deploying file integrity monitoring tools to detect unauthorized modifications to cache files.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, implement strict access controls to the cache directory to prevent unauthorized write access.\u003c/li\u003e\n\u003cli\u003eReview and audit any plugins or custom code that utilize the \u003ccode\u003eGrav\\Framework\\Cache\\Adapter\\FileCache\u003c/code\u003e class, ensuring they are not susceptible to cache poisoning attacks.\u003c/li\u003e\n\u003cli\u003eImplement the provided PoC locally to validate your exposure and test the effectiveness of mitigations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-grav-filecache-deserialization/","summary":"Grav versions 1.7.44 through 1.7.49.5 are vulnerable to insecure deserialization in the File Cache component, where the `unserialize` function with `allowed_classes =\u003e true` can lead to arbitrary code execution if an attacker tampers with cache files.","title":"Grav File Cache Insecure Deserialization Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-30-grav-filecache-deserialization/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Login Plugin","Grav Core","grav-plugin-login"],"_cs_severities":["critical"],"_cs_tags":["grav","privilege-escalation","web"],"_cs_type":"advisory","_cs_vendors":["Grav"],"content_html":"\u003cp\u003eA critical privilege escalation vulnerability exists in the Grav CMS Login plugin, version 3.8.0, affecting Grav Core versions prior to 2.0.0-beta.2. The vulnerability stems from the \u003ccode\u003eLogin::register()\u003c/code\u003e method not validating the \u003ccode\u003egroups\u003c/code\u003e and \u003ccode\u003eaccess\u003c/code\u003e fields during user registration. If registration is enabled and these fields are included in the allowed registration fields, an unauthenticated user can craft a malicious registration request to assign themselves admin privileges. This can lead to complete compromise of the Grav CMS instance, allowing attackers to modify content, install malicious plugins, and potentially execute arbitrary code. The vulnerability is tracked as CVE-2026-42613. The fix was applied on 2026-04-24 and released in grav-plugin-login 3.8.2.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Grav CMS instance with user registration enabled and the \u003ccode\u003egroups\u003c/code\u003e or \u003ccode\u003eaccess\u003c/code\u003e fields included in the allowed registration fields.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the \u003ccode\u003e/user_register\u003c/code\u003e endpoint, including \u003ccode\u003eusername\u003c/code\u003e, \u003ccode\u003epassword\u003c/code\u003e, \u003ccode\u003eemail\u003c/code\u003e, and \u003ccode\u003efullname\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eThe attacker injects \u003ccode\u003egroups\u003c/code\u003e and \u003ccode\u003eaccess\u003c/code\u003e fields into the POST request with values designed to grant admin privileges (e.g., \u003ccode\u003egroups[]=admins\u003c/code\u003e, \u003ccode\u003eaccess[admin][super]=true\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eLogin::register()\u003c/code\u003e method processes the registration data without proper validation of the injected \u003ccode\u003egroups\u003c/code\u003e and \u003ccode\u003eaccess\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled \u003ccode\u003egroups\u003c/code\u003e and \u003ccode\u003eaccess\u003c/code\u003e values are assigned directly to the newly created user object.\u003c/li\u003e\n\u003cli\u003eThe user object is saved, creating a new user account with admin privileges in the \u003ccode\u003euser/accounts/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker logs in to the Grav admin panel using the newly created account.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their admin access to install malicious plugins or execute arbitrary code on the server, achieving complete system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants unauthenticated attackers full administrative access to the Grav CMS instance. This can lead to complete website defacement, data exfiltration, or remote code execution. Since no victim count or specific sector targeting is mentioned in the advisory, we can assume any Grav instance with the vulnerable configuration is at risk, potentially impacting numerous websites and organizations relying on Grav CMS.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to grav-plugin-login version 3.8.2 or later to patch CVE-2026-42613.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, remove \u003ccode\u003egroups\u003c/code\u003e and \u003ccode\u003eaccess\u003c/code\u003e from the allowed registration fields in the Login plugin configuration.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Malicious Grav User Registration\u003c/code\u003e to identify registration attempts with injected admin privileges based on user-registration requests.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/user_register\u003c/code\u003e endpoint containing \u003ccode\u003egroups\u003c/code\u003e or \u003ccode\u003eaccess\u003c/code\u003e parameters using the \u003ccode\u003eGrav Registration Attempt with Group/Access Parameters\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-grav-privesc/","summary":"Unauthenticated users can escalate privileges to admin in Grav CMS by manipulating registration data due to missing server-side validation in the Login plugin.","title":"Grav Login Plugin Privilege Escalation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-grav-privesc/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["grav-plugin-api (\u003c 1.0.0-beta.15)"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","web-application","grav"],"_cs_type":"advisory","_cs_vendors":["getgrav"],"content_html":"\u003cp\u003eA critical vulnerability exists within the Grav API plugin (\u003ccode\u003ecomposer/getgrav/grav-plugin-api\u003c/code\u003e) versions prior to 1.0.0-beta.15. This vulnerability, identified as CVE-2026-42843, allows any authenticated user with the \u003ccode\u003eapi.access\u003c/code\u003e permission to escalate their privileges to Super Administrator. The flaw is due to an insecure direct object reference and logic error in the \u003ccode\u003eUsersController::update\u003c/code\u003e method, specifically in how user permissions are updated via the API. By sending a crafted PATCH request, a low-privileged user can modify their own access control list (ACL) to include \u003ccode\u003eadmin.super\u003c/code\u003e and \u003ccode\u003eapi.super\u003c/code\u003e permissions. Successful exploitation grants the attacker full control over the Grav CMS instance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains a low-privileged user account with \u003ccode\u003eapi.access\u003c/code\u003e permission on the Grav CMS.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Grav API using the obtained credentials to receive a valid JWT access token via a POST request to \u003ccode\u003e/api/v1/auth/token\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious PATCH request to the \u003ccode\u003e/api/v1/users/{username}\u003c/code\u003e endpoint, targeting their own username.\u003c/li\u003e\n\u003cli\u003eThe PATCH request includes a JSON payload that modifies the user\u0026rsquo;s \u003ccode\u003eaccess\u003c/code\u003e field, specifically setting \u003ccode\u003eadmin.super\u003c/code\u003e and \u003ccode\u003eapi.super\u003c/code\u003e to \u003ccode\u003etrue\u003c/code\u003e. For example: \u003ccode\u003e{\u0026quot;access\u0026quot;:{\u0026quot;admin\u0026quot;:{\u0026quot;login\u0026quot;:true,\u0026quot;super\u0026quot;:true},\u0026quot;api\u0026quot;:{\u0026quot;access\u0026quot;:true,\u0026quot;super\u0026quot;:true},\u0026quot;site\u0026quot;:{\u0026quot;login\u0026quot;:true}}}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted PATCH request to the target Grav CMS instance, including the JWT access token in the \u003ccode\u003eX-API-Token\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eUsersController::update\u003c/code\u003e method in \u003ccode\u003euser/plugins/api/classes/Api/Controllers/UsersController.php\u003c/code\u003e processes the request without properly validating the user\u0026rsquo;s authority to modify their own permissions.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s \u003ccode\u003eaccess\u003c/code\u003e field is updated with the malicious payload, granting them Super Administrator privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the Grav Admin panel using the compromised user credentials and now has full control over the Grav CMS, able to modify content, install plugins, and potentially execute arbitrary code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis privilege escalation vulnerability (CVE-2026-42843) allows any low-privileged user to gain complete control over a Grav CMS instance. An attacker can modify website content, inject malicious code, install backdoors, and potentially achieve remote code execution (RCE) on the underlying server by modifying Twig templates. This can lead to data breaches, website defacement, and complete compromise of the affected system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003ecomposer/getgrav/grav-plugin-api\u003c/code\u003e package to version 1.0.0-beta.15 or later to patch CVE-2026-42843.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Grav API User Permission Escalation Attempt\u0026rdquo; to identify attempted exploitation of this vulnerability by monitoring for PATCH requests to \u003ccode\u003e/api/v1/users/\u003c/code\u003e with modified access parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-grav-api-privesc/","summary":"A privilege escalation vulnerability in the Grav API plugin allows authenticated users with basic API access to elevate their privileges to Super Administrator, leading to full system compromise and potential remote code execution.","title":"Grav API Plugin Privilege Escalation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-grav-api-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Grav","version":"https://jsonfeed.org/version/1.1"}