Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray() — CVE-2026-44738
GitHub · GitHub · CVE-2026-44738
ID
CVE-2026-44738
CVE-2026-44738
Date
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
7.7
7.7
EPSS
0.00031
0.00031
Summary
## Summary The Twig sandbox allow-list permits any user with the `admin.pages` role to call `config.toArray()` from within a page body, dumping the entire merged site configuration — including all plugin secrets (SMTP passwords, AWS keys, OAuth client secrets, API tokens) — into the rendered HTML. No administrator privileges are required. ## Details The Twig sandbox allow-list in `system/config/security.yaml`…
Product
composer: getgrav/grav
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.