[HIGH] Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()

PKSA-jw9z-qj9h-1drk CVE-2026-44738 GHSA-j274-39qw-32c9

Affected version: <=2.0.0-rc.1

Reported by:
GitHub

[HIGH] Low-privileged Grav API users can create super-admin accounts via blueprint-upload

PKSA-jtpz-17pm-t9v9 CVE-2026-42844 GHSA-6xx2-m8wv-756h

Affected version: <2.0.0-beta.4

Reported by:
GitHub