CVE-2026-42610 — Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a
CVE-2026-42610 — Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the grav['accounts'] service. Attacker can programmatically load administrative user
What This Means For You
- If your environment is affected by CWE-863, review your exposure and prioritize patching based on your environment. Monitor vendor advisories for CVE-2026-42610 updates and patches.
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42610 | vulnerability | CVE-2026-42610 |
| CWE-863 | weakness | CWE-863 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 11, 2026 at 19:17 UTC |
This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.
Believe this infringes your rights? Submit a takedown request.
Related coverage
OpenClaw Improper Authentication: CVE-2026-8305 Publicly Exploitable
CVE-2026-8305 — A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component...
OpenClaw Improper Access Control Bypasses Denylist, Allows Persistent Malicious Configs
CVE-2026-45006 — OpenClaw before 2026.4.23 contains an improper access control vulnerability in the gateway tool's config.apply and config.patch operations that allows compromised models to write...
OpenClaw RCE: Arbitrary Code Execution via Plugin Setup Resolver
CVE-2026-45004 — OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd() during provider setup...