The Grav CMS, a modern web platform built on Twig, Symfony, and Doctrine, has been found vulnerable to two significant security issues, CVE-2021-29440 and CVE-2021-29439, which can be exploited by authenticated attackers with low privileges. The vulnerabilities were discovered in the administration dashboard and core of the CMS, allowing remote attackers to execute arbitrary PHP code and system commands on the underlying server. The maintainers have since released patches for both issues, addressing the security concerns and ensuring the stability of the platform. The discovery highlights the importance of regular security research and testing, as well as the need for users to keep their instances up-to-date with the latest version.