CVE-2026-7317

MEDIUM 5.0

Grav CMS Cache Value FileCache.php doGet deserialization

CVSS Score

5.0

EPSS Score

0.0%

EPSS Percentile

0th

A vulnerability was found in Grav CMS up to 1.7.49.5/2.0.0-beta.1. Affected by this vulnerability is the function FileCache::doGet of the file system/src/Grav/Framework/Cache/Adapter/FileCache.php of the component Cache Value Handler. The manipulation results in deserialization. The attack may be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made public and could be used. Upgrading to version 2.0.0-beta.2 addresses this issue. The patch is identified as c66dfeb5f. The affected component should be upgraded.

CWE	CWE-502 CWE-20
Vendor	grav
Product	cms
Published	Apr 28, 2026

Stay Ahead of the Next One

Get instant alerts for grav cms

Be the first to know when new medium vulnerabilities affecting grav cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Grav / CMS

1.7.49.0 1.7.49.1 1.7.49.2 1.7.49.3 1.7.49.4 1.7.49.5 2.0.0-beta.0 2.0.0-beta.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/359965 vuldb.com: https://vuldb.com/vuln/359965/cti vuldb.com: https://vuldb.com/submit/798732 github.com: https://github.com/devsamuelsantiago/grav-cms-filecache-object-injection github.com: https://github.com/getgrav/grav/security/advisories/GHSA-gwfr-jfjf-92vv github.com: https://github.com/getgrav/grav/commit/c66dfeb5f

Credits

🔍 s4nnty (VulDB User)