Vulnerability-Lookup

Search criteria

Vendor

Product

Assigner

Sources

Sort by

Order

Apply ordering (override relevance)

Related vulnerabilities

GHSA-FMG2-F5R9-24QC

Vulnerability from github – Published: 2026-05-08 19:38 – Updated: 2026-05-08 19:38

Summary

Grav: Stored XSS via page title (data[header][title]) in admin panel

Details

Summary

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][title] parameter.

Details

Vulnerable Endpoint: GET /admin/pages/[page] Parameter: data[header][title]

The application fails to properly validate and sanitize user input in the data[header][title] parameter. As a result, attackers can craft a malicious URL with an XSS payload. When this URL is accessed, the injected script is reflected back in the HTTP response and executed within the context of the victim's browser session.

PoC

Payload: <img src=1 onerror=alert(1)>

Log in to the Grav Admin Panel and navigate to Pages.
Create a new page or edit an existing one.
Edit title of the page to <img src=1 onerror=alert(1)>

Save page
Open the move function and click on the folder having the payload

Impact

Stored cross-site scripting (XSS) attacks can have serious consequences, including:

User actions: Attackers can perform actions on behalf of the user
Data theft: Sensitive information such as session cookies can be stolen
Account compromise: Attackers may impersonate legitimate users
Malicious code execution: Arbitrary JavaScript code can run in the user’s browser
Website defacement or misinformation: Malicious output may be injected visually
User redirection: Victims may be redirected to phishing or malicious websites

By Vu Duc Hieu Contributor Simon Tran

Severity ?

6.2 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.49.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44737"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T19:38:00Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n_A Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][title] parameter._\n\n--- \n\n### Details\nVulnerable Endpoint: GET /admin/pages/[page]\nParameter: data[header][title]\n\nThe application fails to properly validate and sanitize user input in the data[header][title] parameter. As a result, attackers can craft a malicious URL with an XSS payload. When this URL is accessed, the injected script is reflected back in the HTTP response and executed within the context of the victim\u0027s browser session.\n\n--- \n\n### PoC\n**Payload:** `\u003cimg src=1 onerror=alert(1)\u003e`\n\n1. Log in to the Grav Admin Panel and navigate to Pages.\n \n2. Create a new page or edit an existing one.\n\n3. Edit title of the page to  `\u003cimg src=1 onerror=alert(1)\u003e`\n\n\u003cimg width=\"1897\" height=\"700\" alt=\"image\" src=\"https://github.com/user-attachments/assets/77a129ca-5c2b-4743-8c56-c17fa456eefa\" /\u003e\n\n4. Save page\n \n5. Open the move function and click on the folder having the payload\n\n\u003cimg width=\"1904\" height=\"984\" alt=\"image\" src=\"https://github.com/user-attachments/assets/44f8f88f-76c4-449f-8c4e-11e8e2c51d8f\" /\u003e\n\n\u003cimg width=\"1902\" height=\"995\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1dc2ef15-e534-4e87-93ea-92bc573af7f1\" /\u003e\n\n--- \n\n### Impact\n\nStored cross-site scripting (XSS) attacks can have serious consequences, including:\n\n- User actions: Attackers can perform actions on behalf of the user\n\n- Data theft: Sensitive information such as session cookies can be stolen\n\n- Account compromise: Attackers may impersonate legitimate users\n\n- Malicious code execution: Arbitrary JavaScript code can run in the user\u2019s browser\n\n- Website defacement or misinformation: Malicious output may be injected visually\n\n- User redirection: Victims may be redirected to phishing or malicious websites\n\nBy [Vu Duc Hieu](https://github.com/vdh1612) \nContributor [Simon Tran](https://github.com/simontranduy)",
  "id": "GHSA-fmg2-f5r9-24qc",
  "modified": "2026-05-08T19:38:00Z",
  "published": "2026-05-08T19:38:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-fmg2-f5r9-24qc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Grav: Stored XSS via page title (data[header][title]) in admin panel"
}