Ghostwire

CVE-2026-62237: Grav before 2.0.4 contains a regular expression denial of service (ReDoS) vulnerability in the regex_replace filter and...

MEDIUM CVSS 0.0

Published: July 17, 2026 | Last Modified: July 17, 2026

Description

Grav before 2.0.4 contains a regular expression denial of service (ReDoS) vulnerability in the regex_replace filter and function, which are allowlisted in the Twig content sandbox. When Twig processing in page content is enabled (security.twig_content.process_enabled: true, disabled by default), an authenticated page editor can supply a catastrophically backtracking PCRE pattern that is passed directly to PHP's preg_replace(), causing unbounded CPU consumption and denial of service to the web server process.

Ghostwire Analysis — What This Means Practically

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

References