CVE-2024-28116

HIGH

Grav < 1.7.45 - Authenticated Server-Side Template Injection

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2024-28116. PoCs published by geniuszly, akabe1, gunzf0x.

AI-analyzed exploit summary This PoC exploits an authenticated Server-Side Template Injection (SSTI) vulnerability in Grav CMS <= 1.7.44 (CVE-2024-28116) to achieve remote command execution. It automates authentication, session handling, and payload injection via Twig template manipulation.

Description

Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox. Version 1.7.45 contains a patch for this issue.

Exploits (3)

nomisec WORKING POC 7 stars

by geniuszly · poc

https://github.com/geniuszly/GenGravSSTIExploit

View Code ZIP pw:eip

This PoC exploits an authenticated Server-Side Template Injection (SSTI) vulnerability in Grav CMS <= 1.7.44 (CVE-2024-28116) to achieve remote command execution. It automates authentication, session handling, and payload injection via Twig template manipulation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Grav CMS <= 1.7.44

Auth required

Prerequisites: Valid Grav CMS credentials · Access to admin panel · Twig processing enabled

MITRE ATT&CK

T1210 - Exploitation of Remote Services T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 7 stars

by akabe1 · poc

https://github.com/akabe1/Graver

View Code ZIP pw:eip

This is a functional PoC for CVE-2024-28116, an authenticated SSTI+RCE vulnerability in Grav CMS <=1.7.44. It automates the exploitation process by authenticating, creating a malicious page, and injecting an RCE payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Grav CMS <=1.7.44

Auth required

Prerequisites: Valid Grav CMS editor credentials · Network access to the target Grav CMS admin interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by gunzf0x · poc

https://github.com/gunzf0x/Grav-CMS-RCE-Authenticated

View Code ZIP pw:eip

This is a Python-based exploit for CVE-2024-28116, targeting Grav CMS with an authenticated RCE vulnerability. It automates the process of logging in, creating a malicious page, and executing arbitrary commands via crafted payloads.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Grav CMS

Auth required

Prerequisites: Valid credentials for Grav CMS · Admin panel access · Network access to the target

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh

Patch x_refsource_misc

https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e

Scores

CVSS v3 8.8

EPSS 0.6217

EPSS Percentile 98.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-1336 CWE-94

Status published

Products (2)

getgrav/grav < 1.7.45

getgrav/grav 0 - 1.7.45Packagist

Published Mar 21, 2024

Tracked Since Feb 18, 2026