CVE-2026-58492
Deferred Deferred - Pending Action

SQL Injection in Grav CMS Database Plugin

Vulnerability report for CVE-2026-58492, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

grav-plugin-database is the database plugin for Grav CMS. Prior to 1.2.0, the PDO::tableExists method interpolates its table argument directly into a raw SQL query string without sanitization, escaping, quoting, or whitelisting, allowing attacker-controlled table names passed by consuming plugin or developer code to execute arbitrary SQL against the configured database. This issue is fixed in version 1.2.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
getgrav grav_plugin_database to 1.2.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58492 is a SQL injection vulnerability in the Grav CMS Database plugin's PDO::tableExists() method. Before version 1.2.0, this method directly inserts the table name argument into a raw SQL query without any sanitization, escaping, quoting, or validation. This means that if an attacker can control the table name passed to this method, they can inject malicious SQL code that will be executed by the database.

The vulnerability arises because the table name parameter is concatenated directly into the SQL query string, and the error handling does not prevent the injected SQL from running. An attacker could craft a table name that closes the original query and appends harmful SQL commands.

Impact Analysis

This vulnerability can have severe impacts including unauthorized information disclosure, data manipulation, privilege escalation, and potentially full server compromise if the database supports file-writing operations.

  • Attackers can extract sensitive data by injecting UNION SELECT queries.
  • They can create new tables or modify existing records.
  • They may escalate privileges within the application or database.
  • If the database allows, attackers might write files to the server, leading to further compromise.
Detection Guidance

This vulnerability involves SQL injection through the PDO::tableExists method in the Grav CMS Database plugin, where attacker-controlled table names are interpolated directly into SQL queries without sanitization.

Detection can focus on monitoring database queries for suspicious or malformed table names that include SQL syntax or commands, especially those that attempt to close queries or append additional SQL statements.

Since the vulnerability is in the application code, network detection might involve inspecting database query logs or application logs for unusual SQL statements or errors related to table existence checks.

Specific commands depend on your database system and logging setup, but examples include:

  • For MySQL, check the general query log or slow query log for suspicious queries: `grep -i 'tableExists' /var/log/mysql/mysql.log` or `grep -E "(UNION|SELECT|;|--|')" /var/log/mysql/mysql.log`
  • Use SQL queries to search for suspicious table names in the database metadata tables, e.g., `SELECT table_name FROM information_schema.tables WHERE table_name LIKE '%;%';` or containing SQL keywords.
  • Review application logs for errors or exceptions related to database queries, especially those involving table existence checks.

Automated scanning tools or static code analysis focusing on the Grav plugin versions prior to 1.2.0 can also help detect vulnerable instances.

Mitigation Strategies

The primary mitigation step is to upgrade the Grav CMS Database plugin to version 1.2.0 or later, where this vulnerability has been fixed.

The fix replaces unsafe direct interpolation of table names with parameterized queries, preventing SQL injection.

If upgrading immediately is not possible, consider applying input validation and sanitization on any user or plugin inputs that influence table names passed to the PDO::tableExists method.

Additionally, review and restrict database permissions to limit the impact of any potential exploitation, such as removing unnecessary privileges that allow data modification or file writing.

Monitor logs for suspicious activity and consider implementing Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting this vulnerability.

Compliance Impact

The vulnerability allows attackers to execute arbitrary SQL commands, potentially leading to unauthorized access, disclosure, or modification of sensitive data stored in the database.

Such unauthorized data access or manipulation could result in violations of data protection regulations like GDPR or HIPAA, which mandate strict controls over personal and sensitive information.

Therefore, if exploited, this vulnerability could compromise compliance with these standards by exposing or altering protected data without proper authorization.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58492. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart