grav-plugin-database is the database plugin for Grav CMS. Prior to 1.2.0, the PDO::tableExists method interpolates its table argument directly into a raw SQL query string without sanitization, escaping, quoting, or whitelisting, allowing attacker-controlled table names passed by consuming plugin or developer code to execute arbitrary SQL against the configured database. This issue is fixed in version 1.2.0.
Metrics
Affected Vendors & Products
References
History
Fri, 10 Jul 2026 18:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Getgrav
Getgrav grav |
|
| Vendors & Products |
Getgrav
Getgrav grav |
Fri, 10 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 10 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | grav-plugin-database is the database plugin for Grav CMS. Prior to 1.2.0, the PDO::tableExists method interpolates its table argument directly into a raw SQL query string without sanitization, escaping, quoting, or whitelisting, allowing attacker-controlled table names passed by consuming plugin or developer code to execute arbitrary SQL against the configured database. This issue is fixed in version 1.2.0. | |
| Title | grav-plugin-database: SQL Injection in PDO::tableExists() due to Unsanitized Table Name Interpolation | |
| Weaknesses | CWE-89 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-10T16:48:28.515Z
Reserved: 2026-06-30T20:21:25.812Z
Link: CVE-2026-58492
Updated: 2026-07-10T16:47:53.135Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-10T18:00:04Z