CVE-2026-44738

Name of the Vulnerable Software and Affected Versions Grav versions prior to 2.0.0-rc.2

Description The Twig sandbox allow-list permits any user with the admin.pages role to call the config.toArray() function from within a page body. This action dumps the entire merged site configuration into the rendered HTML, potentially exposing sensitive plugin secrets such as SMTP passwords, AWS keys, OAuth client secrets, and API tokens. This process does not require administrator privileges.

Recommendations Update to version 2.0.0-rc.2.