CVE-2021-29440

HIGH

Grav < 1.7.11 - Authenticated Remote Code Execution via Twig Template Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-29440. PoCs published by enox, CsEnox.

AI-analyzed exploit summary This exploit demonstrates a Server-Side Template Injection (SSTI) vulnerability in Grav CMS 1.7.10, allowing authenticated users to execute arbitrary commands via Twig template injection. It authenticates, creates a malicious page with embedded system commands, and retrieves the output.

Description

Grav is a file based Web-platform. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. The issue was addressed in version 1.7.11.

Exploits (2)

exploitdb WORKING POC

by enox · pythonwebappsphp

https://www.exploit-db.com/exploits/49961

View Code ZIP pw:eip

This exploit demonstrates a Server-Side Template Injection (SSTI) vulnerability in Grav CMS 1.7.10, allowing authenticated users to execute arbitrary commands via Twig template injection. It authenticates, creates a malicious page with embedded system commands, and retrieves the output.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Grav CMS 1.7.10

Auth required

Prerequisites: Valid credentials with page creation privileges · Access to the admin dashboard

MITRE ATT&CK

T1221 - Template Injection T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 4 stars

by CsEnox · poc

https://github.com/CsEnox/CVE-2021-29440

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-29440, which leverages unsafe Twig processing in Grav CMS 1.7.10 to achieve remote code execution (RCE). The exploit automates authentication, page creation with malicious Twig templates, and command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Grav CMS 1.7.10

Auth required

Prerequisites: Valid admin credentials for Grav CMS · Page creation privileges

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory x_refsource_confirm

https://github.com/getgrav/grav/security/advisories/GHSA-g8r4-p96j-xfxc

Product, Third Party Advisory x_refsource_misc

https://packagist.org/packages/getgrav/grav

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/162987/Grav-CMS-1.7.10-Server-Side-Template-Injection.html

Exploit, Third Party Advisory x_refsource_misc

https://blog.sonarsource.com/grav-cms-code-execution-vulnerabilities

Scores

CVSS v3 8.4

EPSS 0.1116

EPSS Percentile 93.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (2)

getgrav/grav < 1.7.11

getgrav/grav 0 - 1.7.11Packagist

Published Apr 13, 2021

Tracked Since Feb 18, 2026