SecBoard
Zurück zur CVE-Übersicht

CVE-2026-62237

MEDIUM(6.5)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Risk Signal Score26/100 — MITTEL
  • CVSS 6.5 — Mittel
  • Weniger als 24 Stunden alt

Beschreibung

Grav before 2.0.4 contains a regular expression denial of service (ReDoS) vulnerability in the regex_replace filter and function, which are allowlisted in the Twig content sandbox. When Twig processing in page content is enabled (security.twig_content.process_enabled: true, disabled by default), an authenticated page editor can supply a catastrophically backtracking PCRE pattern that is passed directly to PHP's preg_replace(), causing unbounded CPU consumption and denial of service to the web server process.

Referenzen