9 matches found
CVE-2021-21425
GravCMS (Grav Admin Plugin)
CVE-2021-3920
The CVE-2021-3920 entry concerns grav-plugin-admin for Grav CMS. The vulnerability is Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting). The issue is a stored XSS in getgrav/grav-plugin-admin per the CVE record. Affected component: grav-plugin-admin plugin; root c...
CVE-2021-3799
CVE-2021-3799 relates to grav-plugin-admin, where the vulnerability arises from improper restriction of rendered UI layers or frames. The connected documents consistently describe an admin UI access-control/UI-layer restriction flaw that can enable clickjacking due to missing frame protection hea...
CVE-2025-66308
Grav Admin Plugin stored-XSS CVE-2025-66308 affects the Grav admin UI via POST /admin/config/site, specifically data[taxonomies]. The vulnerability stores malicious input on the server which later executes in a user’s browser when configuring sites, creating a persistent attack vector. Root cause...
CVE-2025-66311
CVE-2025-66311 refers to a Stored XSS vulnerability in Grav’s admin interface. The issue is in the "/admin/pages/[page]" endpoint where un sanitized input could be injected into data[header][metadata], data[header][taxonomy][category], and data[header][taxonomy][tag], with payloads stored in page...
CVE-2025-66307
CVE-2025-66307 Grav Admin Plugin describes a user enumeration and email disclosure flaw in Grav’s Admin plugin prior to version 1.11.0-beta.1. The vulnerability is triggered via the Forgot Password workflow at /admin/forgot, which leaks a valid user’s email address by returning distinct responses...
CVE-2025-66309
Grav admin plugin (admin/pages/[page]) is affected by a Reflected XSS in the data[header][content][items] parameter of GET /admin/pages/[page]. The issue stems from insufficient input validation/sanitization and is fixed in Grav 1.11.0-beta.1. Multiple sources describe the vulnerability and inclu...
CVE-2025-66310
Grav’s admin plugin suffers a Stored XSS in the /admin/pages/[page] endpoint via data[header][template] stored in page frontmatter. Impact is execution of scripts when rendering content in admin or frontend views. Fix available in Grav 1.11.0-beta.1. No exploitation details are provided beyond th...
CVE-2025-66312
The CVE-2025-66312 pertains to Grav Admin Plugin, where a Stored XSS vulnerability existed in the /admin/accounts/groups/Grupo endpoint via the data[readableName] field. The issue allowed injected scripts to be stored on the server and executed when affected pages load. It affects Grav’s admin in...