Impact
This vulnerability is stored cross‑site scripting (XSS) (CWE‑79) in the Grav Admin2 Pages API save flow. The missing safety check allows malicious content to be persisted in a page through the Admin2 Pages API save flow.
Affected Systems
The vulnerability affects Grav versions 2.0.0‑rc.9 and their Admin2 component 2.0.0‑rc.14, specifically the Grav Plugin API 1.7.52. Any Grav site that uses these releases and allows page editing through the Admin2 interface is potentially susceptible.
Risk and Exploitability
The CVSS score of 5.1 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting no currently documented exploits. Based on the description, it is inferred that an attacker with access to the Admin2 API, such as an authenticated administrator or content editor, could inject malicious content that would be stored and rendered on subsequent page views.
OpenCVE Enrichment