{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-44738", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-07T18:04:17.310Z", "datePublished": "2026-05-11T15:47:46.778Z", "dateUpdated": "2026-05-14T18:06:17.679Z"}, "containers": {"cna": {"title": "Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/getgrav/grav/security/advisories/GHSA-j274-39qw-32c9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-j274-39qw-32c9"}], "affected": [{"vendor": "getgrav", "product": "grav", "versions": [{"version": "< 2.0.0-rc.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-05-11T15:47:46.778Z"}, "descriptions": [{"lang": "en", "value": "Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray() from within a page body, dumping the entire merged site configuration \u2014 including all plugin secrets (SMTP passwords, AWS keys, OAuth client secrets, API tokens) \u2014 into the rendered HTML. No administrator privileges are required. This vulnerability is fixed in 2.0.0-rc.2."}], "source": {"advisory": "GHSA-j274-39qw-32c9", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/getgrav/grav/security/advisories/GHSA-j274-39qw-32c9", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-14T18:04:51.140656Z", "id": "CVE-2026-44738", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-14T18:06:17.679Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-44738", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-14T18:04:51.140656Z"}}}], "references": [{"url": "https://github.com/getgrav/grav/security/advisories/GHSA-j274-39qw-32c9", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-14T18:03:19.535Z"}}], "cna": {"title": "Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()", "source": {"advisory": "GHSA-j274-39qw-32c9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "getgrav", "product": "grav", "versions": [{"status": "affected", "version": "< 2.0.0-rc.2"}]}], "references": [{"url": "https://github.com/getgrav/grav/security/advisories/GHSA-j274-39qw-32c9", "name": "https://github.com/getgrav/grav/security/advisories/GHSA-j274-39qw-32c9", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray() from within a page body, dumping the entire merged site configuration \u2014 including all plugin secrets (SMTP passwords, AWS keys, OAuth client secrets, API tokens) \u2014 into the rendered HTML. No administrator privileges are required. This vulnerability is fixed in 2.0.0-rc.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-05-11T15:47:46.778Z"}}}, "cveMetadata": {"cveId": "CVE-2026-44738", "state": "PUBLISHED", "dateUpdated": "2026-05-14T18:06:17.679Z", "dateReserved": "2026-05-07T18:04:17.310Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-05-11T15:47:46.778Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*", "matchCriteriaId": "064CDB77-36FA-4294-9397-0D6FC8E67F1F", "versionEndExcluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:getgrav:grav:2.0.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "1ABB323F-20AF-40F3-BCD9-262644D242A1", "vulnerable": true}, {"criteria": "cpe:2.3:a:getgrav:grav:2.0.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "23F8F687-3238-4CC0-AAC0-8D73DD13EB57", "vulnerable": true}, {"criteria": "cpe:2.3:a:getgrav:grav:2.0.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "4D2DD669-63FD-44AF-ABA7-5998216D81B0", "vulnerable": true}, {"criteria": "cpe:2.3:a:getgrav:grav:2.0.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "0439ACB4-C5F0-4C78-B62D-8A7CCCA95943", "vulnerable": true}, {"criteria": "cpe:2.3:a:getgrav:grav:2.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F8DFF41E-3A2E-4975-8417-6157E923D749", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray() from within a page body, dumping the entire merged site configuration \u2014 including all plugin secrets (SMTP passwords, AWS keys, OAuth client secrets, API tokens) \u2014 into the rendered HTML. No administrator privileges are required. This vulnerability is fixed in 2.0.0-rc.2."}], "id": "CVE-2026-44738", "lastModified": "2026-05-14T18:16:50.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-05-11T17:16:34.747", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-j274-39qw-32c9"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-j274-39qw-32c9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.0-rc.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "grav", "source": "cna", "vendor": "getgrav"}, "product": "grav", "vendor": "getgrav"}], "created": "2026-05-11T17:45:25.998763+00:00", "updated": "2026-05-13T21:15:04.847463+00:00", "vendors": ["getgrav", "getgrav$PRODUCT$grav"]}