CVE-2026-58655
Received Received - Intake

Stored Server-Side Template Injection in Grav Flex Objects Plugin

Vulnerability report for CVE-2026-58655, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: VulnCheck

Description

The bundled Grav Flex Objects plugin (getgrav/grav-plugin-flex-objects) before 1.4.0 contains a stored server-side template injection vulnerability. When rendering dynamic collection or object titles, the plugin passes user-controlled frontmatter values (page.header.flex.collection.title or page.header.flex.object.title) to Twig's template_from_string(), causing them to be evaluated as Twig code rather than treated as text. This path bypasses Grav's Security::cleanDangerousTwig() sanitization. An attacker who can control the title frontmatter of a publicly reachable Flex Objects page can achieve arbitrary Twig execution and escalate to remote command execution via access to internal Grav services such as the scheduler.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
getgrav grav-plugin-flex-objects to 1.4.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a stored server-side template injection in the Grav Flex Objects plugin (before version 1.4.0). It occurs when user-controlled frontmatter values for dynamic collection or object titles are passed to Twig's template_from_string() function without proper sanitization. This allows attackers to inject and execute arbitrary Twig code, potentially leading to remote command execution via Grav's internal services.

Impact Analysis

An attacker who exploits this can execute arbitrary code on the server, read sensitive files, access internal Grav services, or escalate privileges. This could lead to full system compromise, data theft, or unauthorized actions depending on the server's configuration and permissions.

Compliance Impact

This vulnerability could lead to unauthorized data access or exfiltration, violating GDPR's data protection requirements or HIPAA's safeguards for protected health information. Organizations may face compliance breaches, legal penalties, and reputational damage if exploited.

Detection Guidance

Check if the Grav Flex Objects plugin version is below 1.4.0 by inspecting the plugin directory or running composer show getgrav/grav-plugin-flex-objects. Look for pages using Flex Objects with dynamic titles in page frontmatter. Review server logs for unusual Twig template rendering requests or errors.

Mitigation Strategies

Update the Grav Flex Objects plugin to version 1.4.0 or later immediately. Disable the plugin if not in use. Restrict access to admin interfaces and sensitive pages. Monitor for suspicious activity in logs. Apply Grav core updates if available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58655. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart