What is the CVSS score of CVE-2026-44738?

CVE-2026-44738 has a CVSS 3.1 base score of 7.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Grav CMS are affected by CVE-2026-44738?

Grav CMS versions before 2.0.0-rc.2 contain an authenticated information disclosure vulnerability that allows admin-privileged users to extract sensitive configuration secrets (SMTP credentials, AWS…. A patch is available.

Is there a public PoC exploit available for CVE-2026-44738?

Yes, a public proof-of-concept exploit is available for CVE-2026-44738. Prioritise patching immediately. EPSS: 0.0%.

Grav CMS CVE-2026-44738

EUVD-2026-29135 HIGH

Information Exposure (CWE-200)

2026-05-11 GitHub_M

GHSA-j274-39qw-32c9

Information Disclosure

7.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch available

May 11, 2026 - 18:17 EUVD

Analysis Generated

May 11, 2026 - 16:45 vuln.today

CVE Published

May 11, 2026 - 15:47 nvd

HIGH 7.7

DescriptionNVD

Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray() from within a page body, dumping the entire merged site configuration - including all plugin secrets (SMTP passwords, AWS keys, OAuth client secrets, API tokens) - into the rendered HTML. No administrator privileges are required. This vulnerability is fixed in 2.0.0-rc.2.

AnalysisAI

Information disclosure in Grav CMS versions prior to 2.0.0-rc.2 allows authenticated users with admin.pages role to extract all site configuration secrets via Twig sandbox bypass. Attackers can invoke config.toArray() from page content to dump SMTP passwords, AWS keys, OAuth client secrets, and API tokens into rendered HTML. …

RemediationAI

Within 24 hours: Identify all Grav CMS instances and their current versions using asset inventory; audit admin.pages role assignments to minimize privileged user count. Within 7 days: Restrict admin.pages role to only essential personnel; implement code review workflows for page content before publication. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-44738 vulnerability details – vuln.today

Back

Grav CMS CVE-2026-44738

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code