Grav CMS CVE-2026-44737
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
_A Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][title] parameter._
---
Details
Vulnerable Endpoint: GET /admin/pages/[page] Parameter: data[header][title]
The application fails to properly validate and sanitize user input in the data[header][title] parameter. As a result, attackers can craft a malicious URL with an XSS payload. When this URL is accessed, the injected script is reflected back in the HTTP response and executed within the context of the victim's browser session.
---
PoC
Payload: <img src=1 onerror=alert(1)>
- Log in to the Grav Admin Panel and navigate to Pages.
- Create a new page or edit an existing one.
- Edit title of the page to
<img src=1 onerror=alert(1)>
<img width="1897" height="700" alt="image" src="https://github.com/user-attachments/assets/77a129ca-5c2b-4743-8c56-c17fa456eefa" />
- Save page
- Open the move function and click on the folder having the payload
<img width="1904" height="984" alt="image" src="https://github.com/user-attachments/assets/44f8f88f-76c4-449f-8c4e-11e8e2c51d8f" />
<img width="1902" height="995" alt="image" src="https://github.com/user-attachments/assets/1dc2ef15-e534-4e87-93ea-92bc573af7f1" />
---
Impact
Stored cross-site scripting (XSS) attacks can have serious consequences, including:
- User actions: Attackers can perform actions on behalf of the user
- Data theft: Sensitive information such as session cookies can be stolen
- Account compromise: Attackers may impersonate legitimate users
- Malicious code execution: Arbitrary JavaScript code can run in the user’s browser
- Website defacement or misinformation: Malicious output may be injected visually
- User redirection: Victims may be redirected to phishing or malicious websites
By Vu Duc Hieu Contributor Simon Tran
AnalysisAI
Stored cross-site scripting in Grav admin panel allows authenticated attackers to inject malicious JavaScript into page titles via the data[header][title] parameter, which is then executed when other administrators access the affected page or its move function. The vulnerability requires admin authentication to inject the payload but affects all subsequent viewers, enabling session hijacking, credential theft, and administrative impersonation. Publicly available exploit code exists with working proof-of-concept screenshots.
Technical ContextAI
Grav is a flat-file content management system built on PHP. The vulnerability resides in the /admin/pages/[page] endpoint, specifically the data[header][title] parameter used for page metadata. The root cause is improper input sanitization in the admin panel's page editor, allowing HTML and JavaScript to be stored directly in page headers without escaping. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates the application fails to encode user-supplied data before rendering it in the admin interface. The stored nature means the payload persists in the page configuration file and executes whenever the page or its metadata is displayed, affecting all users with access to that admin section.
RemediationAI
Upgrade Grav immediately to version 1.7.49.5 or later, which includes input sanitization for the data[header][title] parameter. Patch is available via composer with command 'composer update getgrav/grav'. For organizations unable to patch immediately, implement the following compensating controls: restrict admin panel access via network ACLs to trusted IP ranges only; enable HTTP-only and Secure flags on admin session cookies to prevent script access; conduct audit of existing pages for XSS payloads in title fields and sanitize or delete suspicious content; monitor admin panel access logs for unusual activity. Note that firewall-based restrictions do not prevent exploitation by legitimate compromised admin accounts, so patching remains essential. See GitHub advisory GHSA-fmg2-f5r9-24qc for additional details and timeline.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-fmg2-f5r9-24qc