Cyber Resilience

CVE-2026-56700

CriticalPublic PoCRCE

Published: 30 June 2026

Published
30 June 2026
Modified
01 July 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0168 74.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-56700 is a critical-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Grav CMS before 2.0.0-beta.2 contains multiple code-execution vulnerabilities. Three unsafe unserialize() calls - in Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session - deserialize untrusted data without restricting allowed classes, enabling PHP object injection and, via a gadget chain, arbitrary code execution where an…

more

attacker controls the serialized input. Additionally, InstallCommand's git clone operation passes the branch, url, and path parameters into a shell command without escaping, allowing OS command injection via plugin/theme installation (which requires admin access). A Twig security blocklist bypass (server-side template injection) is also present. The issues are fixed in 2.0.0-beta.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Public-facing CMS RCE via deserialization + OS command injection directly enables T1190 and T1059.004.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30861Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2026-27728Shared CWE-78
CVE-2025-8613Shared CWE-78
CVE-2026-27626Shared CWE-78
CVE-2025-2257Shared CWE-78
CVE-2026-33208Shared CWE-78
CVE-2026-32892Shared CWE-78
CVE-2026-2043Shared CWE-78
CVE-2013-10048Shared CWE-78

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted inputs to block unsafe unserialize() calls, unescaped shell parameters, and template injection vectors.

prevent

Enforces least privilege so that only minimal accounts can reach the admin-only InstallCommand path that enables OS command injection.

preventdetect

Requires integrity verification of software and serialized objects to detect or block gadget-chain execution resulting from PHP object injection.

References