Description
grav-plugin-admin is the admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.10.49.5, the application fails to properly validate and sanitize user input in the data[header][title] parameter. As a result, attackers can craft a malicious URL with an XSS payload. When this URL is accessed, the injected script is reflected back in the HTTP response and executed within the context of the victim's browser session. This vulnerability is fixed in 1.10.49.5.
Published: 2026-05-11
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The grav-plugin-admin plugin for Grav fails to validate and sanitize user input supplied to the data[header][title] parameter on the /admin/pages/[page] endpoint. This allows an attacker to embed a malicious JavaScript payload in a crafted URL. When a victim visits that URL, the injected script is reflected in the HTTP response and executed within the victim's browser session, potentially enabling cookie theft, session hijacking, or other actions with the victim's privileges. The flaw is a stored/reflected cross-site scripting vulnerability classified as CWE‑79.

Affected Systems

The vulnerability affects the Grav Admin Plugin (grav-plugin-admin) developed by the getgrav vendor. All versions prior to 1.10.49.5 are vulnerable; the issue was addressed in version 1.10.49.5 and later releases.

Risk and Exploitability

The CVSS base score is 6.2, which indicates moderate severity. EPSS data is currently unavailable, so the probability of exploitation is unknown. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this XSS flaw by constructing a malicious URL that contains a JavaScript payload in the data[header][title] parameter and convincing a user with access to the Grav admin interface to visit the URL. Upon visiting, the script is reflected and executed in the context of the victim's browser, giving the attacker full access to the site’s session and any privileged actions the victim can perform.

Generated by OpenCVE AI on May 11, 2026 at 17:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Grav Admin Plugin to version 1.10.49.5 or later to apply the vendor‑supplied fix that sanitizes the data[header][title] input.
  • If an upgrade cannot be performed immediately, disable or uninstall grav-plugin-admin to eliminate the vector.
  • Implement input validation on any custom or legacy code that manipulates the data[header][title] field, ensuring only safe text is allowed.
  • Monitor administrative logs for attempts to inject JavaScript payloads and check for suspicious activity.

Generated by OpenCVE AI on May 11, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fmg2-f5r9-24qc Grav: Stored XSS via page title (data[header][title]) in admin panel
History

Mon, 11 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Getgrav
Getgrav grav-plugin-admin
Vendors & Products Getgrav
Getgrav grav-plugin-admin

Mon, 11 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description grav-plugin-admin is the admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.10.49.5, the application fails to properly validate and sanitize user input in the data[header][title] parameter. As a result, attackers can craft a malicious URL with an XSS payload. When this URL is accessed, the injected script is reflected back in the HTTP response and executed within the context of the victim's browser session. This vulnerability is fixed in 1.10.49.5.
Title grav-plugin-admin: Stored Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][title]
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Getgrav Grav-plugin-admin
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T18:35:37.711Z

Reserved: 2026-05-07T18:04:17.310Z

Link: CVE-2026-44737

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-11T17:16:34.610

Modified: 2026-05-11T20:25:46.633

Link: CVE-2026-44737

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T17:45:26Z

Weaknesses