CVE-2026-44737
Received Received - Intake
Reflected XSS in Grav Admin Plugin

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
grav-plugin-admin is the admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.10.49.5, the application fails to properly validate and sanitize user input in the data[header][title] parameter. As a result, attackers can craft a malicious URL with an XSS payload. When this URL is accessed, the injected script is reflected back in the HTTP response and executed within the context of the victim's browser session. This vulnerability is fixed in 1.10.49.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-44737
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
getgrav grav_plugin_admin to 1.10.49.5 (exc)
getgrav grav_plugin_admin 1.10.49.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored Cross-Site Scripting (XSS) issue in the Grav Admin plugin, specifically affecting the data[header][title] parameter. The application fails to properly validate and sanitize user input in this parameter, allowing attackers to inject malicious scripts via crafted payloads.

When a user accesses a page containing the injected script, the script executes within their browser session. This can happen because the malicious script is reflected back in the HTTP response and executed in the context of the victim's browser.

The vulnerability exists in two places in the plugin's code where the title is improperly handled: in the breadcrumb path bar and in the title attribute of elements. Attackers with admin.pages permission can inject payloads that execute in a super-admin's session, posing a privilege escalation risk.

This vulnerability was fixed in version 1.10.49.5 by properly escaping content using safer jQuery DOM APIs.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts in the context of your browser session when accessing a crafted URL or interacting with certain admin interface elements.

  • Stealing session cookies, which can lead to account takeover.
  • Performing unauthorized actions on behalf of the victim.
  • Redirecting users to phishing or malicious websites.
  • Privilege escalation in multi-author environments, where a low-tier admin can inject scripts that execute in a super-admin's session.

Exploitation requires high privileges (admin.pages permission) and active user interaction, but the consequences can be severe for site security and user trust.

Detection Guidance

This vulnerability can be detected by checking if your Grav Admin Plugin version is 1.10.49.4 or earlier, as these versions are affected by the stored XSS issue in the data[header][title] parameter.

To detect exploitation attempts on your system or network, you can monitor HTTP requests to the `/admin/pages/[page]` endpoint for suspicious payloads containing typical XSS attack vectors such as `<img src=1 onerror=alert(1)>` or other script injection patterns.

Example commands to detect such attempts could include using network traffic inspection tools or web server logs with grep to find suspicious patterns:

  • grep -i 'data\[header\]\[title\]' /var/log/apache2/access.log | grep -E '<script|onerror|alert\('
  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'data[header][title]'

Additionally, scanning your installed Grav Admin Plugin version can be done by checking the plugin version via the Grav CLI or inspecting the plugin files.

Mitigation Strategies

The immediate and most effective mitigation step is to upgrade the Grav Admin Plugin to version 1.10.49.5 or later, where the vulnerability has been fixed.

If upgrading immediately is not possible, restrict access to the Grav Admin interface to trusted users only, as exploitation requires admin-level permissions and active user interaction.

Additionally, review and sanitize any user input or page titles that may have been injected with malicious scripts, and consider monitoring and blocking suspicious requests targeting the vulnerable endpoint.

Compliance Impact

The vulnerability is a stored Cross-Site Scripting (XSS) issue that allows attackers to inject malicious scripts which execute in the context of another user's browser session. This can lead to unauthorized actions, session hijacking, or redirection to phishing sites.

Such security weaknesses can impact compliance with standards like GDPR and HIPAA because they may lead to unauthorized access or disclosure of personal or sensitive data through session hijacking or other malicious activities.

Specifically, failure to properly validate and sanitize user input, resulting in XSS vulnerabilities, can violate requirements for protecting user data and ensuring secure processing under these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44737. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart