CVE-2026-44737
Reflected XSS in Grav Admin Plugin
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getgrav | grav_plugin_admin | to 1.10.49.5 (exc) |
| getgrav | grav_plugin_admin | 1.10.49.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored Cross-Site Scripting (XSS) issue in the Grav Admin plugin, specifically affecting the data[header][title] parameter. The application fails to properly validate and sanitize user input in this parameter, allowing attackers to inject malicious scripts via crafted payloads.
When a user accesses a page containing the injected script, the script executes within their browser session. This can happen because the malicious script is reflected back in the HTTP response and executed in the context of the victim's browser.
The vulnerability exists in two places in the plugin's code where the title is improperly handled: in the breadcrumb path bar and in the title attribute of elements. Attackers with admin.pages permission can inject payloads that execute in a super-admin's session, posing a privilege escalation risk.
This vulnerability was fixed in version 1.10.49.5 by properly escaping content using safer jQuery DOM APIs.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts in the context of your browser session when accessing a crafted URL or interacting with certain admin interface elements.
- Stealing session cookies, which can lead to account takeover.
- Performing unauthorized actions on behalf of the victim.
- Redirecting users to phishing or malicious websites.
- Privilege escalation in multi-author environments, where a low-tier admin can inject scripts that execute in a super-admin's session.
Exploitation requires high privileges (admin.pages permission) and active user interaction, but the consequences can be severe for site security and user trust.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Grav Admin Plugin version is 1.10.49.4 or earlier, as these versions are affected by the stored XSS issue in the data[header][title] parameter.
To detect exploitation attempts on your system or network, you can monitor HTTP requests to the `/admin/pages/[page]` endpoint for suspicious payloads containing typical XSS attack vectors such as `<img src=1 onerror=alert(1)>` or other script injection patterns.
Example commands to detect such attempts could include using network traffic inspection tools or web server logs with grep to find suspicious patterns:
- grep -i 'data\[header\]\[title\]' /var/log/apache2/access.log | grep -E '<script|onerror|alert\('
- tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'data[header][title]'
Additionally, scanning your installed Grav Admin Plugin version can be done by checking the plugin version via the Grav CLI or inspecting the plugin files.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation step is to upgrade the Grav Admin Plugin to version 1.10.49.5 or later, where the vulnerability has been fixed.
If upgrading immediately is not possible, restrict access to the Grav Admin interface to trusted users only, as exploitation requires admin-level permissions and active user interaction.
Additionally, review and sanitize any user input or page titles that may have been injected with malicious scripts, and consider monitoring and blocking suspicious requests targeting the vulnerable endpoint.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a stored Cross-Site Scripting (XSS) issue that allows attackers to inject malicious scripts which execute in the context of another user's browser session. This can lead to unauthorized actions, session hijacking, or redirection to phishing sites.
Such security weaknesses can impact compliance with standards like GDPR and HIPAA because they may lead to unauthorized access or disclosure of personal or sensitive data through session hijacking or other malicious activities.
Specifically, failure to properly validate and sanitize user input, resulting in XSS vulnerabilities, can violate requirements for protecting user data and ensuring secure processing under these regulations.