{"id":"CVE-2026-58655","summary":"Grav Flex Objects - Server-Side Template Injection via Dynamic Titles","details":"The bundled Grav Flex Objects plugin (getgrav/grav-plugin-flex-objects) before 1.4.0 contains a stored server-side template injection vulnerability. When rendering dynamic collection or object titles, the plugin passes user-controlled frontmatter values (page.header.flex.collection.title or page.header.flex.object.title) to Twig's template_from_string(), causing them to be evaluated as Twig code rather than treated as text. This path bypasses Grav's Security::cleanDangerousTwig() sanitization. An attacker who can control the title frontmatter of a publicly reachable Flex Objects page can achieve arbitrary Twig execution and escalate to remote command execution via access to internal Grav services such as the scheduler.","aliases":["GHSA-623v-m3c4-3pw8"],"modified":"2026-07-17T03:48:09.410038721Z","published":"2026-07-15T11:25:34.186Z","database_specific":{"cna_assigner":"VulnCheck","cwe_ids":["CWE-94"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58655.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58655.json"},{"type":"ADVISORY","url":"https://github.com/getgrav/grav/security/advisories/GHSA-623v-m3c4-3pw8"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-58655"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/grav-flex-objects-server-side-template-injection-via-dynamic-titles"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/getgrav/grav","events":[{"introduced":"0"},{"fixed":"9b149307efc9fd0fb0865bd22c1d717b25c1f31e"}],"database_specific":{"source":["AFFECTED_FIELD","DESCRIPTION"],"extracted_events":[{"introduced":"0"},{"fixed":"1.4.0"}]}}],"versions":["1.3.10","1.3.9","1.3.8","1.3.7","1.3.6","1.3.5","1.3.4","1.3.3","1.3.2","1.3.1","1.3.0","1.2.4","1.2.3","1.2.2","1.2.1","1.2.0","1.1.17","1.1.9-rc.3","1.1.9-rc.2","1.1.9-rc.1","1.1.0-rc.3","1.1.0-rc.2","1.1.0-rc.1","1.1.0-beta.5","1.1.0-beta.4","1.1.0-beta.3","1.1.0-beta.2","1.1.0-beta.1","0.9.19","0.9.18","0.9.17","0.9.16","0.9.15","0.9.14","0.9.13","0.9.12","0.9.11","0.9.10","0.9.9","0.9.8","0.9.7","0.9.6","0.9.5","0.9.4","0.9.3","0.9.2","0.9.0","0.8.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58655.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}