Skip to main content

Grav CMS CVE-2026-44737

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-08 https://github.com/getgrav/grav GHSA-fmg2-f5r9-24qc
6.2
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.2 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

4
CVSS changed
May 11, 2026 - 17:22 NVD
6.2 (MEDIUM)
Source Code Evidence Fetched
May 08, 2026 - 20:34 vuln.today
Analysis Generated
May 08, 2026 - 20:34 vuln.today
CVE Published
May 08, 2026 - 19:38 nvd
MEDIUM

DescriptionGitHub Advisory

Summary

_A Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][title] parameter._

---

Details

Vulnerable Endpoint: GET /admin/pages/[page] Parameter: data[header][title]

The application fails to properly validate and sanitize user input in the data[header][title] parameter. As a result, attackers can craft a malicious URL with an XSS payload. When this URL is accessed, the injected script is reflected back in the HTTP response and executed within the context of the victim's browser session.

---

PoC

Payload: <img src=1 onerror=alert(1)>

  1. Log in to the Grav Admin Panel and navigate to Pages.
  2. Create a new page or edit an existing one.
  3. Edit title of the page to <img src=1 onerror=alert(1)>

<img width="1897" height="700" alt="image" src="https://github.com/user-attachments/assets/77a129ca-5c2b-4743-8c56-c17fa456eefa" />

  1. Save page
  2. Open the move function and click on the folder having the payload

<img width="1904" height="984" alt="image" src="https://github.com/user-attachments/assets/44f8f88f-76c4-449f-8c4e-11e8e2c51d8f" />

<img width="1902" height="995" alt="image" src="https://github.com/user-attachments/assets/1dc2ef15-e534-4e87-93ea-92bc573af7f1" />

---

Impact

Stored cross-site scripting (XSS) attacks can have serious consequences, including:

  • User actions: Attackers can perform actions on behalf of the user
  • Data theft: Sensitive information such as session cookies can be stolen
  • Account compromise: Attackers may impersonate legitimate users
  • Malicious code execution: Arbitrary JavaScript code can run in the user’s browser
  • Website defacement or misinformation: Malicious output may be injected visually
  • User redirection: Victims may be redirected to phishing or malicious websites

By Vu Duc Hieu Contributor Simon Tran

AnalysisAI

Stored cross-site scripting in Grav admin panel allows authenticated attackers to inject malicious JavaScript into page titles via the data[header][title] parameter, which is then executed when other administrators access the affected page or its move function. The vulnerability requires admin authentication to inject the payload but affects all subsequent viewers, enabling session hijacking, credential theft, and administrative impersonation. Publicly available exploit code exists with working proof-of-concept screenshots.

Technical ContextAI

Grav is a flat-file content management system built on PHP. The vulnerability resides in the /admin/pages/[page] endpoint, specifically the data[header][title] parameter used for page metadata. The root cause is improper input sanitization in the admin panel's page editor, allowing HTML and JavaScript to be stored directly in page headers without escaping. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates the application fails to encode user-supplied data before rendering it in the admin interface. The stored nature means the payload persists in the page configuration file and executes whenever the page or its metadata is displayed, affecting all users with access to that admin section.

RemediationAI

Upgrade Grav immediately to version 1.7.49.5 or later, which includes input sanitization for the data[header][title] parameter. Patch is available via composer with command 'composer update getgrav/grav'. For organizations unable to patch immediately, implement the following compensating controls: restrict admin panel access via network ACLs to trusted IP ranges only; enable HTTP-only and Secure flags on admin session cookies to prevent script access; conduct audit of existing pages for XSS payloads in title fields and sanitize or delete suspicious content; monitor admin panel access logs for unusual activity. Note that firewall-based restrictions do not prevent exploitation by legitimate compromised admin accounts, so patching remains essential. See GitHub advisory GHSA-fmg2-f5r9-24qc for additional details and timeline.

Share

CVE-2026-44737 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy