CVE-2026-62237 in Grav
Summary
by MITRE • 07/17/2026
Grav before 2.0.4 contains a regular expression denial of service (ReDoS) vulnerability in the regex_replace filter and function, which are allowlisted in the Twig content sandbox. When Twig processing in page content is enabled (security.twig_content.process_enabled: true, disabled by default), an authenticated page editor can supply a catastrophically backtracking PCRE pattern that is passed directly to PHP's preg_replace(), causing unbounded CPU consumption and denial of service to the web server process.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability exists within the Grav CMS platform prior to version 2.0.4, specifically targeting the Twig templating engine's regex_replace filter and function. This represents a classic regular expression denial of service (ReDoS) flaw that exploits catastrophic backtracking in Perl Compatible Regular Expressions (PCRE) patterns. The vulnerability is particularly concerning because it operates within the Twig content sandbox, which is designed to provide a secure environment for user-generated content processing while maintaining strict controls over available functions and operations.
The technical implementation of this flaw occurs when an authenticated user with page editing privileges enables the Twig content processing feature through the configuration setting security.twig_content.process_enabled: true. This setting is disabled by default, making the vulnerability less immediately exploitable but still present in systems where administrators have explicitly enabled this functionality for enhanced templating capabilities. When enabled, the system processes user-supplied content through the Twig engine, which then passes regular expression patterns directly to PHP's preg_replace() function without adequate input sanitization or timeout mechanisms.
The operational impact of this vulnerability is severe as it allows an authenticated attacker to construct maliciously crafted PCRE patterns that exhibit catastrophic backtracking behavior. This means that when the vulnerable regex_replace filter processes these patterns, the underlying PCRE engine enters a state where it performs an exponential number of operations, leading to unbounded CPU consumption and ultimately causing a denial of service condition against the web server process. The attacker requires only basic editing privileges within the CMS to exploit this vulnerability, making it particularly dangerous in environments where multiple users have access to content management capabilities.
This vulnerability aligns with CWE-400, which specifically addresses "Uncontrolled Resource Consumption" and more precisely maps to CWE-1321, "Regular Expression Denial of Service (ReDoS)". From an adversarial perspective, this flaw fits within the ATT&CK technique T1499.004, "Endpoint Denial of Service", where adversaries leverage software vulnerabilities to consume system resources and cause service disruption. The exploit chain requires an authenticated user account but does not require elevated privileges beyond standard content editor permissions, making it accessible to a broader range of potential attackers within compromised systems.
The recommended mitigation strategy involves upgrading to Grav version 2.0.4 or later, where the vulnerability has been patched through improved input validation and regex pattern sanitization. Administrators should also consider disabling the Twig content processing feature when not actively required, particularly in environments where multiple untrusted users have editing privileges. Additional protective measures include implementing resource limits on web server processes, monitoring for unusual CPU consumption patterns, and ensuring that all user inputs are properly validated before being processed through regex operations. Organizations should also review their access control policies to minimize the number of users with sufficient privileges to enable potentially dangerous CMS features.