CVE-2020-36955
Unknown Unknown - Not Provided
Persistent XSS in Grav CMS Admin Plugin Allows Script Injection

Publication date: 2026-01-26

Last updated on: 2026-01-26

Assigner: VulnCheck

Description
Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be executed when the page is viewed in the admin panel or on the site.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-01-26
Generated
2026-06-16
AI Q&A
2026-01-26
EPSS Evaluated
2026-06-15
NVD
CVE-2020-36955
EUVD
EUVD-2020-30847
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
grav cms 1.6.30
grav admin_plugin to 1.9.18 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a persistent cross-site scripting (XSS) flaw in Grav CMS 1.6.30 with Admin Plugin 1.9.18. Authenticated attackers can inject malicious JavaScript code into the 'page title' field when creating a new page. This malicious script is stored and later executed whenever the page is viewed in the admin panel or on the public site, due to improper sanitization or encoding of the page title input. [1, 2]

Impact Analysis

The impact of this vulnerability is that an authenticated attacker can execute arbitrary JavaScript code in the context of the Grav CMS admin panel or the public site. This can lead to unauthorized actions such as session hijacking, defacement, or other malicious activities that exploit the victim's browser. Since the script is persistent, it remains active whenever the affected page is viewed, increasing the risk of exploitation. [1, 2]

Detection Guidance

This vulnerability can be detected by attempting to inject a script tag into the 'Page Title' field of the Grav CMS admin panel and observing if the script executes when the page is viewed. For example, log in to the Grav CMS admin panel, navigate to the 'Pages' section, and create a new page with the title containing a script tag such as `<script>alert(1337)</script>`. After saving, preview the page or visit the front-end URL to see if the alert executes. Additionally, you can monitor POST requests to `/grav-admin/admin/pages` with suspicious payloads in the `data[title]` parameter. There are no specific command-line tools or commands provided, but manual testing via the admin interface or intercepting HTTP requests with tools like curl or Burp Suite can be used. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the Grav CMS admin panel to trusted users only, ensuring that only authenticated and authorized users can create or edit pages. Avoid entering untrusted input into the 'Page Title' field. Applying any available patches or updates to Grav CMS and the Admin Plugin that address this vulnerability is recommended. If patches are not available, consider implementing input validation or sanitization on the 'Page Title' field to prevent script injection. Monitoring and reviewing newly created pages for suspicious content can also help mitigate exploitation. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-36955. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart