Legend

**Name of the Vulnerable Software and Affected Versions** GravCMS version 1.10.7 **Description** GravCMS version 1.10.7 has an issue allowing remote attackers to write arbitrary YAML configuration and execute PHP code through the scheduler endpoint. Attackers can exploit the `admin-nonce` parameter to inject base64-encoded payloads and create malicious custom jobs with system command execution. The ''/scheduler'' endpoint is affected. The `admin-nonce` parameter is used to inject payloads. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.