PT-2026-51515 · Grav · Grav

Published

2026-06-23

Updated

2026-06-23

CVE-2026-56701

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Grav before 2.0.0-beta.2 contains an XML external entity injection vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexml load string without disabling external entity loading, enabling attackers to inject XXE payloads via malicious SVG files to exfiltrate sensitive data.

Exploit

Fix

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-611

Related Identifiers

CVE-2026-56701

Affected Products

Grav

PT-2026-51515 · Grav · Grav

CVE-2026-56701

Weakness Enumeration

Related Identifiers

Affected Products

References · 3