CVE-2026-58492 in Grav
Summary
by MITRE • 07/10/2026
grav-plugin-database is the database plugin for Grav CMS. Prior to 1.2.0, the PDO::tableExists method interpolates its table argument directly into a raw SQL query string without sanitization, escaping, quoting, or whitelisting, allowing attacker-controlled table names passed by consuming plugin or developer code to execute arbitrary SQL against the configured database. This issue is fixed in version 1.2.0.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/10/2026
The grav-plugin-database vulnerability represents a critical sql injection flaw that affects the popular Grav CMS database plugin ecosystem. This vulnerability stems from improper input validation within the PDO::tableExists method implementation, where table names are directly interpolated into raw sql queries without any sanitization or escaping mechanisms. The flaw exists in versions prior to 1.2.0 and creates a dangerous attack vector for malicious actors who can manipulate table name parameters passed to this method by consuming plugins or developer code.
The technical exploitation of this vulnerability occurs when an attacker can influence the table argument passed to the PDO::tableExists method through external inputs or by manipulating plugin configurations. Since the method directly incorporates user-supplied table names into sql query strings without proper sanitization, attackers can craft malicious table names that contain sql injection payloads. When these crafted table names are processed by the database engine, they execute arbitrary sql commands against the configured database system, potentially leading to data exfiltration, unauthorized access, or complete database compromise.
This vulnerability aligns with common weakness enumerations such as CWE-89 sql injection and CWE-77 sql injection through parameter interpolation. The operational impact extends beyond simple data theft, as successful exploitation could enable attackers to escalate privileges within the database environment, modify sensitive configuration parameters, or even execute system-level commands if the underlying database system allows such operations. The issue affects not only the core database plugin but potentially any plugin that relies on table existence checks or interacts with database schema validation mechanisms.
The remediation approach requires immediate upgrading to version 1.2.0 or later where proper input sanitization and sql query parameterization have been implemented. Security teams should conduct comprehensive vulnerability assessments across all Grav installations using the affected plugin versions, particularly focusing on any custom plugins that might interact with database table validation methods. Organizations should also implement network segmentation controls and database access monitoring to detect potential exploitation attempts. Additionally, developers should review their custom plugin code for similar patterns of direct sql query construction and ensure proper input validation practices are implemented throughout their applications. The vulnerability demonstrates the critical importance of input sanitization in database operations and serves as a reminder that even seemingly benign methods like table existence checks can become dangerous attack vectors when insufficiently protected against malicious input manipulation.