CVE-2026-42610

Name of the Vulnerable Software and Affected Versions Grav versions prior to 2.0.0-beta.2

Description A low-privileged user, such as a Content Editor with pages.update permissions, can bypass Twig sandbox restrictions by utilizing the grav['accounts'] service. This allows an attacker to programmatically load administrative user objects and extract sensitive data, including Bcrypt password hashes and the security salt. This is achieved by accessing the internal service container to bypass the isDangerousFunction filter.

Recommendations Update to version 2.0.0-beta.2 or later.