Samer666569

**Name of the Vulnerable Software and Affected Versions** Grav versions prior to 2.0.0-beta.2 **Description** A low-privileged user, such as a Content Editor with `pages.update` permissions, can bypass Twig sandbox restrictions by utilizing the `grav['accounts']` service. This allows an attacker to programmatically load administrative user objects and extract sensitive data, including Bcrypt password hashes and the security salt. This is achieved by accessing the internal service container to bypass the `isDangerousFunction` filter. **Recommendations** Update to version 2.0.0-beta.2 or later.