grav-plugin-database is the database plugin for Grav CMS. Prior to 1.2.0, Database::__call builds PDO DSN strings by directly concatenating user-configurable YAML values from fields such as host, dbname, charset, server, database, directory, and filename without sanitization or validation, allowing an administrator with plugin configuration access to inject DSN attributes or path traversal values. This issue is fixed in version 1.2.0.
Metrics
Affected Vendors & Products
References
History
Fri, 10 Jul 2026 17:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Getgrav
Getgrav grav |
|
| Vendors & Products |
Getgrav
Getgrav grav |
Fri, 10 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | grav-plugin-database is the database plugin for Grav CMS. Prior to 1.2.0, Database::__call builds PDO DSN strings by directly concatenating user-configurable YAML values from fields such as host, dbname, charset, server, database, directory, and filename without sanitization or validation, allowing an administrator with plugin configuration access to inject DSN attributes or path traversal values. This issue is fixed in version 1.2.0. | |
| Title | grav-plugin-database: DSN Parameter Injection via Unsanitized Configuration Values in Connection String Construction | |
| Weaknesses | CWE-74 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-10T16:24:32.595Z
Reserved: 2026-06-30T20:21:25.812Z
Link: CVE-2026-58493
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-10T17:30:17Z