Lucene search
K

53 matches found

NVD
NVD
added 4 days ago6 views

CVE-2026-59190

grav-plugin-admin is an HTML user interface that provides a way to configure Grav and create and modify pages. In 1.10.52 and earlier, an authenticated attacker with admin.users permission can change the password of any user account, including the super administrator, by sending a direct POST...

8.7CVSS0.00215EPSS
Exploits0References2
CVE
CVE
added 4 days ago8 views

CVE-2026-59190

Grav plugin: grav-plugin-admin is affected. In versions ≤1.10.52, an authenticated user with admin.users permission can escalate privileges by altering another user’s password via POST to /admin/user/{username}?task=save with data[password]. The vulnerability stems from saveUser validating the ca...

8.7CVSS6.1AI score0.00215EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago29 views

CVE-2026-59190 Grav Admin Plugin — IDOR Privilege Escalation via saveUser()

grav-plugin-admin is an HTML user interface that provides a way to configure Grav and create and modify pages. In 1.10.52 and earlier, an authenticated attacker with admin.users permission can change the password of any user account, including the super administrator, by sending a direct POST...

8.7CVSS0.00215EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:25 p.m.12 views

CVE-2026-44737

grav-plugin-admin is the admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.10.49.5, the application fails to properly validate and sanitize user input in the dataheadertitle parameter. As a result,...

6.2CVSS5.4AI score0.00256EPSS
Exploits0References1
CVE
CVE
added 2026/05/11 3:3 p.m.17 views

CVE-2026-42609

Grav CVE-2026-42609 describes a business-logic flaw in the Grav Admin Panel where a low-privileged user with admin user-creation permissions can overwrite a higher-privilege account by creating a new user with an existing username. The system incorrectly updates the existing account’s metadata an...

8.1CVSS5.8AI score0.00463EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 7:38 p.m.12 views

Grav: Stored XSS via page title (data[header][title]) in admin panel

Summary A Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the dataheadertitle parameter. --- Details Vulnerable Endpoint: GET /admin/pages/page Parameter:...

6.2CVSS5.7AI score0.00256EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/08 12:0 a.m.13 views

PT-2026-39296

Name of the Vulnerable Software and Affected Versions grav-plugin-admin versions prior to 1.10.49.5 Description The application fails to properly validate and sanitize user input in the dataheadertitle parameter. This allows attackers to craft a malicious URL containing a Cross-Site Scripting XSS...

6.2CVSS5.8AI score0.00256EPSS
Exploits0References5
OSV
OSV
added 2026/05/05 9:29 p.m.5 views

GHSA-RR73-568V-28F8 Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic

Summary A business logic vulnerability in the Grav Admin Panel allows a low-privileged user with only user creation permissions to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account'...

8.1CVSS5.8AI score0.00463EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2026/05/05 9:29 p.m.9 views

Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic

Summary A business logic vulnerability in the Grav Admin Panel allows a low-privileged user with only user creation permissions to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account'...

8.1CVSS5.8AI score0.00463EPSS
Exploits1References6Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/05 12:0 a.m.14 views

PT-2026-37275

Name of the Vulnerable Software and Affected Versions Grav versions prior to 2.0.0-beta.2 Description A business logic issue in the Grav Admin Panel allows a low-privileged user with user creation permissions to overwrite existing accounts, including the primary administrator. By creating a new...

8.1CVSS5.8AI score0.00463EPSS
Exploits1References12
Veracode
Veracode
added 2025/12/13 6:9 a.m.5 views

Cross-Site Scripting (XSS)

getgrav/grav is vulnerable to Reflected Cross-Site Scripting XSS. The vulnerability is due to improper input validation in the /admin/pages/page endpoint, which allows an attacker to inject malicious scripts via the dataheadercontentitems parameter...

6.2CVSS5.9AI score0.00197EPSS
Exploits1References3Affected Software1
RedhatCVE
RedhatCVE
added 2025/12/02 10:31 p.m.7 views

CVE-2025-66312

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/accounts/groups/Grupo endpoint of the Grav application. Th...

6.2CVSS5.1AI score0.00182EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/12/02 10:31 p.m.4 views

CVE-2025-66309

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Reflected Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This...

6.2CVSS5.7AI score0.00197EPSS
Exploits1References1
EUVD
EUVD
added 2025/12/02 1:24 a.m.5 views

EUVD-2025-200100

Grav vulnerable to Cross-Site Scripting XSS Stored endpoint /admin/pages/page parameter dataheadertemplate in Advanced Tab...

6.2CVSS5.4AI score0.00182EPSS
Exploits1References3
EUVD
EUVD
added 2025/12/02 1:23 a.m.7 views

EUVD-2025-200102

Grav Admin Plugin vulnerable to Cross-Site Scripting XSS Stored endpoint /admin/config/site parameter datataxonomies...

6.8CVSS5.4AI score0.00182EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2025/12/02 1:23 a.m.9 views

Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`

Summary A Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/config/site endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the datataxonomies parameter. The injected payload is stored on the server and automatically...

6.8CVSS5.2AI score0.00182EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 12:37 a.m.6 views

Grav Admin Plugin is vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]`

Summary A Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/accounts/groups/Grupo endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the datareadableName parameter. The injected scripts are stored on the server and...

6.2CVSS5.5AI score0.00182EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2025/12/02 12:37 a.m.6 views

GHSA-RMW5-F87R-W988 Grav Admin Plugin is vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]`

Summary A Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/accounts/groups/Grupo endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the datareadableName parameter. The injected scripts are stored on the server and...

6.2CVSS5.4AI score0.00182EPSS
Exploits1References4
EUVD
EUVD
added 2025/12/02 12:37 a.m.8 views

EUVD-2025-200099

Grav vulnerable to Cross-Site Scripting XSS Stored endpoint /admin/pages/page in Multiples parameters...

6.2CVSS5.3AI score0.00182EPSS
Exploits1References3
OSV
OSV
added 2025/12/02 12:35 a.m.4 views

GHSA-CJCP-QXVG-4RJM Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover

Summary A privilege escalation vulnerability exists in Grav’s Admin plugin due to the absence of username uniqueness validation when creating users. A user with the create user permission can create a new account using the same username as an existing administrator account, set a new...

8.8CVSS7AI score0.00278EPSS
Exploits0References4
Rows per page
Query Builder