21 matches found
GHSA-FMG2-F5R9-24QC Grav: Stored XSS via page title (data[header][title]) in admin panel
Summary A Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the dataheadertitle parameter. --- Details Vulnerable Endpoint: GET /admin/pages/page Parameter:...
PT-2026-39296
Name of the Vulnerable Software and Affected Versions grav-plugin-admin versions prior to 1.10.49.5 Description The application fails to properly validate and sanitize user input in the dataheadertitle parameter. This allows attackers to craft a malicious URL containing a Cross-Site Scripting XSS...
Cross-site Scripting (XSS)
Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the admin/pages/ endpoint due to insufficient sanitization of user-supplied input in the detectXss function. An...
Grav is Vulnerable to Stored XSS via Tag Injection
Summary A low-privileged with the ability to create a page user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits the page; which can further be chained with the...
CVE-2025-66311
This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This...
CVE-2025-66309
This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Reflected Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This...
EUVD-2025-200101
Grav is vulnerable to Cross-Site Scripting XSS Reflected endpoint /admin/pages/page, parameter dataheadercontentitems, located in the "Blog Config" tab...
GHSA-MPJJ-4688-3FXG Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters
Summary A Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the dataheadermetadata, dataheadertaxonomycategory, and dataheadertaxonomytag parameters. These...
GHSA-V8X2-FJV7-8HJH Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions
Summary Due to a broken access control vulnerability in the /admin/pages/pagename endpoint, an editor user with full permissions to pages can change the functionality of a form after submission. Details Due to improper authorization checks when modifying critical fields on a POST request to...
CVE-2025-66310
This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This...
CVE-2025-66311
This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This...
CVE-2025-66309
This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Reflected Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This...
CVE-2025-66311 Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters
This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This...
CVE-2025-66311
CVE-2025-66311 refers to a Stored XSS vulnerability in Grav’s admin interface. The issue is in the "/admin/pages/[page]" endpoint where un sanitized input could be injected into data[header][metadata], data[header][taxonomy][category], and data[header][taxonomy][tag], with payloads stored in page...
CVE-2025-66310 Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced Tab
This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This...
CVE-2025-66309 Grav vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab
This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Reflected Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This...
CVE-2025-66309 Grav vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab
This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Reflected Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This...
appRain CMF cross-site scripting vulnerability (CNVD-2025-21134)
appRain CMF is a content management framework. A cross-site scripting vulnerability exists in appRain CMF due to improper validation of user input in the /apprain/page/manage-static-pages/create endpoint. An attacker could use this vulnerability to steal the victim's cookie-based authentication...
Exploit for Improper Input Validation in Atlassian Confluence_Data_Center
CVE-2023-22515 How does this detection method work? Th...
Rukovoditel 跨站脚本漏洞
Rukovoditel is a set of Web-based open source project management software from the Rukovoditel team. The software has project management, customer relationship management and other functions. Rukovoditel v3.2.1 version of a security vulnerability , the vulnerability stems from the Add Page functi...