CVE-2026-56701 Overview
CVE-2026-56701 is an XML External Entity (XXE) injection vulnerability in the Grav flat-file content management system. The flaw exists in versions before 2.0.0-beta.2 and resides in the SVG file upload processing path. Grav passes user-supplied SVG content to simplexml_load_string without disabling external entity loading, leaving the XML parser exposed to entity expansion. Authenticated attackers with upload privileges can craft malicious SVG files containing XXE payloads to read arbitrary files from the server filesystem. The weakness maps to CWE-611: Improper Restriction of XML External Entity Reference.
Critical Impact
Authenticated attackers can exfiltrate arbitrary files from the Grav host, including configuration files, credentials, and source code, by uploading crafted SVG documents.
Affected Products
- Grav CMS versions prior to 2.0.0-beta.2
- Grav installations accepting SVG uploads from authenticated users
- Grav admin plugin instances exposing media upload functionality
Discovery Timeline
- 2026-06-23 - CVE-2026-56701 published to the National Vulnerability Database
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2026-56701
Vulnerability Analysis
Grav processes uploaded SVG files through PHP's simplexml_load_string function as part of its media handling pipeline. The function call omits flags that would suppress external entity resolution, leaving the underlying libxml parser configured to fetch external resources referenced inside the XML document. SVG is an XML-based vector format, so any uploaded SVG is parsed as XML and inherits the XXE exposure.
An authenticated user with permission to upload media can submit a crafted SVG containing a DOCTYPE declaration and an external entity reference. When Grav parses the document, the entity resolves to local file contents or remote resources requested by the server. The attacker retrieves the result through the rendered SVG, error messages, or out-of-band channels such as DNS or HTTP callbacks.
Exploitation requires valid credentials with upload rights but no user interaction beyond the upload itself. Successful exploitation results in disclosure of files readable by the web server process, including config/system.yaml, user account files in accounts/, and operating system files such as /etc/passwd.
Root Cause
The root cause is unsafe XML parser configuration. Grav invokes simplexml_load_string on attacker-controlled SVG content without first calling libxml_disable_entity_loader(true) or passing LIBXML_NOENT restrictions, and without validating that uploaded SVG documents are free of DOCTYPE declarations or external entity references.
Attack Vector
The attack vector is network-based and requires low-privilege authenticated access. The attacker uploads an SVG file containing an XXE payload through the Grav admin media interface. The server parses the SVG, resolves the malicious external entity, and exposes file contents in the parsed output. Refer to the GitHub Security Advisory GHSA-3446-6mgw-f79p and the VulnCheck Advisory on Grav for the technical write-up and proof-of-concept details.
Detection Methods for CVE-2026-56701
Indicators of Compromise
- SVG files in the Grav user/pages/ or user/data/ directories containing <!DOCTYPE declarations or <!ENTITY references
- Outbound HTTP or DNS traffic from the Grav web server to unexpected destinations immediately following media uploads
- Web server access logs showing POST requests to /admin/media or /admin/pages followed by SVG GET requests from the same authenticated session
- PHP error logs referencing simplexml_load_string warnings about entity resolution or file access
Detection Strategies
- Scan uploaded media directories for SVG files containing SYSTEM, PUBLIC, or file:// references inside DOCTYPE blocks
- Inspect web server and application logs for SVG uploads followed by anomalous file read patterns by the www-data or PHP-FPM process
- Monitor egress traffic from the Grav host for unexpected DNS lookups or HTTP requests originating from PHP processes during SVG processing
Monitoring Recommendations
- Alert on creation of SVG files containing XML DOCTYPE declarations within Grav content directories
- Correlate authenticated admin sessions with subsequent file access to sensitive paths such as /etc/passwd, config/, and accounts/
- Enable PHP error and access logging for the Grav application and forward logs to a centralized analytics platform for retention and search
How to Mitigate CVE-2026-56701
Immediate Actions Required
- Upgrade Grav to version 2.0.0-beta.2 or later, where the SVG parser disables external entity loading
- Audit existing media libraries for SVG files containing DOCTYPE declarations or entity references and remove suspicious uploads
- Review admin account inventory and revoke upload privileges for accounts that do not require them
- Rotate any credentials or secrets stored in files readable by the Grav web server process, including API keys in config/ and user account hashes
Patch Information
Grav addressed CVE-2026-56701 in version 2.0.0-beta.2. The fix configures the XML parser to reject external entities before invoking simplexml_load_string on SVG content. Apply the upstream release from the project repository. See the GitHub Security Advisory GHSA-3446-6mgw-f79p for patch references and version metadata.
Workarounds
- Restrict SVG uploads at the web server or reverse proxy layer until the patched Grav version is deployed
- Limit Grav admin and editor accounts to trusted users and enforce strong authentication on the admin interface
- Run the Grav PHP process under a least-privilege system account to reduce the scope of files readable through XXE
- Block outbound network access from the Grav web server to the public internet except where required for plugin updates
# Configuration example: restrict SVG uploads via nginx until patch is applied
location ~* \.svg$ {
if ($request_method = POST) {
return 403;
}
}
# Verify Grav version after upgrade
php bin/grav --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

