CVE-2026-56701

MEDIUM NVD

CVSS Score 6.5

Severity MEDIUM

Published Jun 23, 2026

Vendor unknown

Description

Grav before 2.0.0-beta.2 contains an XML external entity injection vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexml_load_string without disabling external entity loading, enabling attackers to inject XXE payloads via malicious SVG files to exfiltrate sensitive data.

References

https://github.com/getgrav/grav/security/advisories/GHSA-3446-6mgw-f79p
https://www.vulncheck.com/advisories/grav-xml-external-entity-injection-via-svg-upload
https://github.com/getgrav/grav/security/advisories/GHSA-3446-6mgw-f79p