PatchSiren cyber security CVE debrief
CVE-2026-58492 getgrav CVE debrief
CVE-2026-58492 is a critical SQL injection vulnerability in the grav-plugin-database plugin for Grav CMS. The vulnerability allows attacker-controlled table names to execute arbitrary SQL against the configured database. This issue is fixed in version 1.2.0. Affected deployments should be reviewed for exposure and patched urgently. The grav-plugin-database plugin for Grav CMS has a critical SQL injection vulnerability prior to version 1.2.0. The PDO::tableExists method interpolates its table argument directly into a raw SQL query string without sanitization, escaping, quoting, or whitelisting. This allows attacker-controlled table names passed by consuming plugin or developer code to execute arbitrary SQL against the configured database. Defenders should review and sanitize table names passed to PDO::tableExists method. Evidence is limited to CVE and NVD information. Defenders should verify affected scope and vendor guidance.
- Vendor
- getgrav
- Product
- grav
- CVSS
- CRITICAL 9.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Developers and administrators using Grav CMS with the grav-plugin-database plugin should prioritize patching to prevent potential SQL injection attacks. Security teams should review compensating controls and monitor for exposure.
Technical summary
The grav-plugin-database plugin for Grav CMS has a critical SQL injection vulnerability prior to version 1.2.0. The PDO::tableExists method interpolates its table argument directly into a raw SQL query string without sanitization, escaping, quoting, or whitelisting. This allows attacker-controlled table names passed by consuming plugin or developer code to execute arbitrary SQL against the configured database. Defenders should review and sanitize table names passed to PDO::tableExists method.
Defensive priority
High
Recommended defensive actions
- Patch grav-plugin-database to version 1.2.0 or later
- Review and sanitize table names passed to PDO::tableExists method
- Implement additional security measures to prevent SQL injection attacks
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The CVE record was published on 2026-07-10T17:17:01.670Z and last modified on 2026-07-10T17:35:11.103Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD information. Defenders should verify affected scope and vendor guidance.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T17:17:01.670Z and has not been modified since then. The NVD entry is currently Deferred.