CVE-2026-62237
Received Received - Intake

ReDoS in Grav CMS via Twig Content Processing

Vulnerability report for CVE-2026-62237, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

Grav before 2.0.4 contains a regular expression denial of service (ReDoS) vulnerability in the regex_replace filter and function, which are allowlisted in the Twig content sandbox. When Twig processing in page content is enabled (security.twig_content.process_enabled: true, disabled by default), an authenticated page editor can supply a catastrophically backtracking PCRE pattern that is passed directly to PHP's preg_replace(), causing unbounded CPU consumption and denial of service to the web server process.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
grav grav to 2.0.4 (exc)
getgrav grav to 2.0.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-62237 is a Regular Expression Denial of Service (ReDoS) vulnerability in Grav, a content management system. It exists in the Twig sandbox environment where the regex_replace filter and function are allowlisted. When Twig content processing is enabled, authenticated page editors can exploit this by providing a malicious PCRE pattern that causes catastrophic backtracking in PHP's preg_replace() function. This leads to unbounded CPU consumption and denial of service to the web server process.

Detection Guidance

To detect this vulnerability, check if your Grav instance is running a version before 2.0.4. Run the command: grav version. If Twig content processing is enabled, verify if regex_replace filter usage exists in page content by searching for patterns in templates or content files.

Impact Analysis

This vulnerability can cause the web server to become unresponsive or crash due to excessive CPU usage. It may lead to complete service denial on single-worker PHP setups or resource exhaustion on multi-worker configurations. The attack requires an authenticated user with page edit access and the sandbox to be enabled, which is disabled by default.

Compliance Impact

This vulnerability could indirectly impact compliance with GDPR or HIPAA by causing service disruptions or resource exhaustion on servers handling sensitive data. Unbounded CPU consumption may lead to downtime, affecting availability requirements under GDPR Article 32 or HIPAA Security Rule standards for system integrity and availability.

Mitigation Strategies

Immediately upgrade Grav to version 2.0.4 or later. If upgrading is not possible, disable Twig content processing by setting security.twig_content.process_enabled to false in your Grav configuration. Restrict page editor access to trusted users only.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-62237. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart