Skip to main content

Grav Plugin Api

1 CVEs product

Monthly

CVE-2026-11982 MEDIUM PATCH This Month

Stored XSS in Grav CMS's grav-plugin-api (Admin2) allows a low-privileged editor to persist malicious JavaScript in page content via the PATCH /pages API endpoint, which then executes in any administrator's or visitor's browser when the affected page is loaded. The root cause is that the API's partial-field validation path (validateChangedFields()) ran only type and required-field checks but omitted the XSS safety gate (Validation::checkSafety()), a check the classic Admin interface correctly enforced - creating a trust-boundary bypass exclusive to the REST API path. Publicly available exploit code exists via the Fluid Attacks advisory and the vendor's own regression test suite; no active exploitation (CISA KEV) has been confirmed.

XSS Grav Plugin Api
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.3%
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored XSS in Grav CMS's grav-plugin-api (Admin2) allows a low-privileged editor to persist malicious JavaScript in page content via the PATCH /pages API endpoint, which then executes in any administrator's or visitor's browser when the affected page is loaded. The root cause is that the API's partial-field validation path (validateChangedFields()) ran only type and required-field checks but omitted the XSS safety gate (Validation::checkSafety()), a check the classic Admin interface correctly enforced - creating a trust-boundary bypass exclusive to the REST API path. Publicly available exploit code exists via the Fluid Attacks advisory and the vendor's own regression test suite; no active exploitation (CISA KEV) has been confirmed.

XSS Grav Plugin Api
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy