getgrav/grav Security Advisories for 2.0.0-beta.4 (2)
-
[MEDIUM] Grav: Stored CSS injection via Markdown image ?style=… reaches MediaObjectTrait::style() — incomplete patch of GHSA-r7fx-8g49-7hhr
PKSA-p98m-jfx1-qxw4 CVE-2026-55890 GHSA-pmf8-g7c8-7v54
Affected version: <=2.0.0-rc.8
Reported by:
GitHub -
[HIGH] Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()
PKSA-jw9z-qj9h-1drk CVE-2026-44738 GHSA-j274-39qw-32c9
Affected version: <=2.0.0-rc.1
Reported by:
GitHub