External risk intelligence

Grav Database Plugin SQL Injection Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-58492

The vulnerability exists in a plugin for Grav, a web content management system. As a web-based CMS, Grav installations are commonly deployed as public-facing web applications, making this plugin's functionality frequently reachable via the internet.

SQL Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects a database plugin for Grav CMS, a content management system. It allows an attacker to execute arbitrary SQL commands if they can control specific input, potentially leading to unauthorized access or manipulation of the database. The primary concern is confirming whether this plugin is in use and if it's exposed to potential threats.

  • Plugin allows SQL injection via database interaction.
  • Critical if Grav CMS is publicly accessible.
  • Confirm use and exposure of this plugin.

Attack Path

How an attacker could exploit the issue

An attacker could reach this vulnerability by sending specially crafted input to a Grav CMS website that uses the database plugin. If a consuming plugin or custom code passes an attacker-controlled table name to the vulnerable function, it can lead to arbitrary SQL execution. This could result in unauthorized access to or modification of sensitive database information.

  • No authentication required.
  • Vulnerable PDO::tableExists method.
  • Arbitrary SQL execution possible.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, malicious actors could execute arbitrary SQL commands against the configured database by crafting specific table names. This could potentially affect database integrity and lead to unauthorized data access or manipulation, depending on the privileges granted to the database user.

  • Database contents could be compromised.
  • Malicious SQL could be injected.
  • Unauthorized data access or modification.

Operational Fix

Recommended remediation, mitigation, and detection steps

The grav-plugin-database vulnerability impacts Grav CMS installations, likely managed by web application or platform teams. The first step is to inventory Grav instances, confirm exposure and business criticality, and identify the accountable owner before planning remediation based on risk.

  • Application owners must address the vulnerability.
  • Verify affected Grav instances and exposure.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the grav-plugin-database for Grav CMS?

This component serves as an extension for Grav, a flat-file content management system. It provides database connectivity features, allowing developers to manage data interactions within their web projects. When installed, it acts as a bridge for the CMS to communicate with database systems, which is essential for sites that require dynamic data storage rather than relying solely on file-based structures.

How does CVE-2026-58492 cause a security issue?

This vulnerability is classified as CWE-89, or Improper Neutralization of Special Elements used in an SQL Command. In plain terms, the plugin fails to sanitize user-provided table names before including them in database queries. Because the application processes this input as trusted command logic rather than plain text, it inadvertently grants an attacker the ability to inject and run unauthorized database instructions.

Do I need to worry if my database input is hardcoded?

Not necessarily. The vulnerability relies on the application taking a table name from an external source—such as parameters passed through a web request—and passing it directly into the flawed function. If your specific implementation only uses hardcoded, static strings that are never influenced by user input or request data, the specific path required to trigger this SQL injection is not present.

Why is this CVE considered relevant for my web server?

According to Halo Surface Signal, this plugin is frequently used in public-facing web applications. Because Grav CMS powers sites accessible over the internet, a critical flaw in a database component means the system is potentially reachable by remote actors. If your instance is connected to the internet, it is more likely to be targeted than an internal, isolated service.

What steps should I take to address CVE-2026-58492?

First, verify if your Grav installation uses the grav-plugin-database and determine if the version is older than 1.2.0. If you are running an affected version, the primary resolution is to upgrade to version 1.2.0 or later, which contains the fix for this flaw. Prioritize auditing your sites to confirm where this plugin is active before applying the update.

References