CVE-2026-58493

Source
https://cve.org/CVERecord?id=CVE-2026-58493
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58493.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-58493
Aliases
  • GHSA-jm58-p4pv-qcwc
Published
2026-07-10T16:24:32.595Z
Modified
2026-07-14T03:56:29.126309350Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
grav-plugin-database: DSN Parameter Injection via Unsanitized Configuration Values in Connection String Construction
Details

grav-plugin-database is the database plugin for Grav CMS. Prior to 1.2.0, Database::__call builds PDO DSN strings by directly concatenating user-configurable YAML values from fields such as host, dbname, charset, server, database, directory, and filename without sanitization or validation, allowing an administrator with plugin configuration access to inject DSN attributes or path traversal values. This issue is fixed in version 1.2.0.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-74"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58493.json"
}
References

Affected packages

Git / github.com/getgrav/grav-plugin-database

Affected ranges

Type
GIT
Repo
https://github.com/getgrav/grav-plugin-database
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.2.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

1.*
1.0.0
1.0.1
1.0.2
1.1.0
1.1.1
1.1.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58493.json"