Grav before 2.0.4 contains a regular expression denial of service (ReDoS) vulnerability in the regex_replace filter and function, which are allowlisted in the Twig content sandbox. When Twig processing in page content is enabled (security.twig_content.process_enabled: true, disabled by default), an authenticated page editor can supply a catastrophically backtracking PCRE pattern that is passed directly to PHP's preg_replace(), causing unbounded CPU consumption and denial of service to the web server process.
Metrics
Affected Vendors & Products
References
History
Fri, 17 Jul 2026 00:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Grav before 2.0.4 contains a regular expression denial of service (ReDoS) vulnerability in the regex_replace filter and function, which are allowlisted in the Twig content sandbox. When Twig processing in page content is enabled (security.twig_content.process_enabled: true, disabled by default), an authenticated page editor can supply a catastrophically backtracking PCRE pattern that is passed directly to PHP's preg_replace(), causing unbounded CPU consumption and denial of service to the web server process. | |
| Title | Grav < 2.0.4 ReDoS via regex_replace in Sandbox | |
| First Time appeared |
Getgrav
Getgrav grav |
|
| Weaknesses | CWE-1333 | |
| CPEs | cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Getgrav
Getgrav grav |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-17T00:07:11.756Z
Reserved: 2026-07-13T16:41:09.007Z
Link: CVE-2026-62237
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-17T01:45:04Z