Description
A vulnerability was found in Grav CMS up to 1.7.49.5/2.0.0-beta.1. Affected by this vulnerability is the function FileCache::doGet of the file system/src/Grav/Framework/Cache/Adapter/FileCache.php of the component Cache Value Handler. The manipulation results in deserialization. The attack may be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made public and could be used. Upgrading to version 2.0.0-beta.2 addresses this issue. The patch is identified as c66dfeb5f. The affected component should be upgraded.
Published: 2026-04-28
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is found in Grav CMS’s Cache Value Handler, specifically in the FileCache::doGet method. When a crafted cache entry is processed, the system deserializes the data without validating its content. The CVE description indicates that this can be triggered remotely and is considered complex and difficult to exploit. While the exact consequences are not specified, deserialization vulnerabilities typically allow attackers to inject arbitrary objects into the application, which could lead to unintended behavior depending on how the application uses the deserialized data.

Affected Systems

Grav CMS versions up to 1.7.49.5 and 2.0.0‑beta.1 are affected. Upgrading to 2.0.0‑beta.2 or later, which includes commit c66dfeb5f, resolves the issue.

Risk and Exploitability

With a CVSS score of 2.3 and no EPSS data, the likelihood of widespread exploitation is low. The vulnerability is not listed in the CISA KEV catalog. Public exploit material has been released, so an attacker who can control cache entries may attempt to trigger the vulnerable deserialization path. The attack may be launched remotely, but the CVE description points out that it requires a high level of complexity and the exploitation is difficult, suggesting that successful exploitation will likely need a targeted approach.

Generated by OpenCVE AI on April 29, 2026 at 02:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the fixed version of Grav CMS by upgrading to 2.0.0‑beta.2 or later, which incorporates commit c66dfeb5f that addresses the deserialization flaw in FileCache::doGet.
  • If a quick upgrade is not feasible, restrict access to the cache directory by setting strict file permissions and ensuring that only internal processes can write to it, thereby preventing malicious cache entries from reaching the deserialization code.
  • Monitor application logs for unusual or repeated attempts to access cache files or for error messages indicating failed deserialization, and consider implementing web‑application firewall rules that block requests containing suspicious cache payloads.

Generated by OpenCVE AI on April 29, 2026 at 02:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Getgrav
Getgrav grav Cms
Vendors & Products Getgrav
Getgrav grav Cms

Tue, 28 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Grav CMS up to 1.7.49.5/2.0.0-beta.1. Affected by this vulnerability is the function FileCache::doGet of the file system/src/Grav/Framework/Cache/Adapter/FileCache.php of the component Cache Value Handler. The manipulation results in deserialization. The attack may be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made public and could be used. Upgrading to version 2.0.0-beta.2 addresses this issue. The patch is identified as c66dfeb5f. The affected component should be upgraded.
Title Grav CMS Cache Value FileCache.php doGet deserialization
Weaknesses CWE-20
CWE-502
References
Metrics cvssV2_0

{'score': 4.6, 'vector': 'AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Getgrav Grav Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-29T13:01:56.731Z

Reserved: 2026-04-28T13:11:54.929Z

Link: CVE-2026-7317

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-28T22:16:51.710

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7317

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:10:24Z

Weaknesses