CVE-2025-66312

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/accounts/groups/Grupo endpoint of the Grav application. Th...

Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`

Summary A Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/config/site endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the datataxonomies parameter. The injected payload is stored on the server and automatically...

EUVD-2025-200102

Grav Admin Plugin vulnerable to Cross-Site Scripting XSS Stored endpoint /admin/config/site parameter datataxonomies...

Grav Admin Plugin is vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]`

Summary A Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/accounts/groups/Grupo endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the datareadableName parameter. The injected scripts are stored on the server and...

GHSA-RMW5-F87R-W988 Grav Admin Plugin is vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]`

Summary A Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/accounts/groups/Grupo endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the datareadableName parameter. The injected scripts are stored on the server and...

CVE-2025-66312

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/accounts/groups/Grupo endpoint of the Grav application. Th...

CVE-2025-66308

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/config/site endpoint of the Grav application. This...

CVE-2025-66312 Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]`

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/accounts/groups/Grupo endpoint of the Grav application. Th...

CVE-2025-66312 Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]`

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/accounts/groups/Grupo endpoint of the Grav application. Th...

CVE-2025-66308 Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/config/site endpoint of the Grav application. This...

CVE-2025-66307 Grav Admin Plugin vulnerable to User Enumeration & Email Disclosure

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a user enumeration and email disclosure vulnerability exists in Grav. The "Forgot Password" functionality at /admin/forgot leaks...

PT-2025-48570

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This...

PT-2025-48568

Name of the Vulnerable Software and Affected Versions Grav versions prior to 1.11.0-beta.1 Description The Grav admin plugin, an HTML user interface for configuring Grav and managing pages, contains a Reflected Cross-Site Scripting XSS issue. An attacker can inject malicious scripts through the...

EUVD-2021-16063

Malware in sbrugna...

CVE-2021-21425

Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages. In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without needing any credentials. Particular method execution will result in...

CVE-2021-29439

The Grav admin plugin prior to version 1.10.11 does not correctly verify caller's privileges. As a consequence, users with the permission admin.login can install third-party plugins and their dependencies. By installing the right plugin, an attacker can obtain an arbitrary code execution primitiv...

GravCMS Remote Command Execution

This module exploits arbitrary config write/update vulnerability to achieve remote code execution. Unauthenticated users can execute a terminal command under the context of the web server user. Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify...

GravCMS 1.10.7 Remote Command Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'GravCMS Remote Command Execution', 'Description' = %q This module exploits arbitrary config write/update vulnerability to achieve remote code...

CVE-2021-29439

The Grav admin plugin prior to version 1.10.11 does not correctly verify caller's privileges. As a consequence, users with the permission admin.login can install third-party plugins and their dependencies. By installing the right plugin, an attacker can obtain an arbitrary code execution primitiv...

CVE-2021-29439

The Grav admin plugin prior to version 1.10.11 does not correctly verify caller's privileges. As a consequence, users with the permission admin.login can install third-party plugins and their dependencies. By installing the right plugin, an attacker can obtain an arbitrary code execution primitiv...