CVE-2026-58493
Deferred Deferred - Pending Action

Database DSN Injection in Grav CMS Plugin

Vulnerability report for CVE-2026-58493, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

grav-plugin-database is the database plugin for Grav CMS. Prior to 1.2.0, Database::__call builds PDO DSN strings by directly concatenating user-configurable YAML values from fields such as host, dbname, charset, server, database, directory, and filename without sanitization or validation, allowing an administrator with plugin configuration access to inject DSN attributes or path traversal values. This issue is fixed in version 1.2.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
getgrav database 1.2.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58493 is a vulnerability in the Grav CMS Database plugin where the Database::__call() method constructs PDO DSN connection strings by directly concatenating user-configurable YAML values without sanitization or validation.

This allows an administrator with access to plugin configuration to inject malicious DSN attributes or path traversal sequences.

The vulnerability affects multiple database drivers including MySQL, PostgreSQL, SQLSRV, and SQLite.

For example, attackers can inject parameters to redirect database connections, disable TLS encryption, or perform path traversal to access arbitrary filesystem locations.

Compliance Impact

The vulnerability allows an administrator with plugin configuration access to inject DSN attributes or path traversal values, potentially leading to connection redirection, unauthorized filesystem access, and TLS encryption bypass.

Such impacts could undermine data confidentiality and integrity, which are critical requirements under common standards and regulations like GDPR and HIPAA.

For example, bypassing TLS encryption or redirecting database connections could expose sensitive personal or health data to unauthorized parties, violating data protection obligations.

However, the provided information does not explicitly discuss compliance implications or regulatory impact.

Impact Analysis

This vulnerability can lead to several impacts including:

  • Redirection of database connections to unintended locations via injected DSN attributes.
  • Bypassing TLS encryption, for example by disabling certificate validation, which can enable man-in-the-middle attacks.
  • Path traversal attacks allowing access to arbitrary files on the filesystem, potentially exposing sensitive data.
  • Potential use as an internal port scanner due to injection capabilities.

Additionally, if plugin configuration files are exposed through backups or version control, injected malicious values can persist across environments, increasing risk.

Detection Guidance

This vulnerability can be detected by inspecting the configuration values of the Grav CMS Database plugin, specifically looking for unsanitized or suspicious DSN attributes in the YAML configuration files used by the plugin.

Since the vulnerability involves injection of DSN parameters via user-configurable YAML fields such as host, dbname, charset, server, database, directory, and filename, you should check these fields for unusual characters like semicolons, path traversal sequences (e.g., ../), or arbitrary DSN attributes.

Commands to help detect this might include searching the plugin configuration files for suspicious patterns. For example, on a Unix-like system, you could run:

  • grep -rE ';|\.\./' user/plugins/database/
  • grep -rE 'unix_socket|TrustServerCertificate' user/plugins/database/

Additionally, reviewing backups or version control repositories for exposed plugin configuration files may reveal injected values.

Mitigation Strategies

The immediate mitigation step is to upgrade the Grav CMS Database plugin to version 1.2.0 or later, where this vulnerability is fixed.

Until the upgrade can be applied, restrict administrative access to the plugin configuration to trusted users only, as the vulnerability requires administrative access to exploit.

Also, review and sanitize existing plugin configuration files to remove any injected DSN attributes or path traversal sequences.

Ensure that backups and version control repositories do not expose plugin configuration files containing injected values.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58493. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart