CVE-2026-11982
Received Received - Intake
Stored XSS in Grav Admin2 Pages API

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: Fluid Attacks

Description
Grav 2.0.0-rc.9 with Admin2 2.0.0-rc.14 contains a stored cross-site scripting (XSS) vulnerability in the Admin2 Pages API save flow.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-11982
EUVD
EUVD-2026-37916
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
grav grav 2.0.0-rc.9
admin2 admin2 2.0.0-rc.14
getgrav grav 2.0.0-rc.9
getgrav admin2 2.0.0-rc.14
getgrav grav-plugin-api 1.0.0-rc.14
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-11982 is a stored cross-site scripting (XSS) vulnerability in Grav CMS version 2.0.0-rc.9 with Admin2 2.0.0-rc.14 and API plugin 1.0.0-rc.14.

The vulnerability occurs in the Admin2 Pages API save flow, where an authenticated non-superadmin user with page write permissions can send a crafted PATCH request to inject arbitrary HTML event-handler JavaScript into page Markdown content.

This malicious payload is stored in the page file and later rendered on the public frontend without proper sanitization, causing the JavaScript to execute for any visitor accessing the affected page, including administrators.

The root cause is that the Admin2/API partial page validation calls Validation::validate() but omits the XSS safety check Validation::checkSafety(), allowing the malicious payload to bypass XSS detection and be persisted.

Impact Analysis

This vulnerability allows an authenticated user with page write permissions, but not superadmin privileges, to execute arbitrary JavaScript code in the context of the website.

The impact includes arbitrary JavaScript execution in the site's origin, which can lead to same-origin requests using the victim's session.

An attacker could modify page content or administrative state if the victim has sufficient permissions, potentially compromising site integrity and user trust.

Because the malicious script executes for any visitor accessing the affected page, including administrators, it can be used to escalate privileges or steal sensitive information.

The vulnerability is considered moderate severity with a CVSS v4 base score of 5.1 due to the low attack complexity and required privileges.

Detection Guidance

This vulnerability can be detected by monitoring for crafted PATCH requests to the Admin2 Pages API endpoint, specifically targeting the /api/v1/pages/{route} path. An authenticated non-superadmin user with page write permissions may send such requests containing malicious HTML event-handler JavaScript injected into page Markdown content.

Detection involves inspecting API traffic for suspicious PATCH requests that modify page content with embedded JavaScript event handlers. Since the vulnerability involves stored cross-site scripting (XSS), reviewing page content changes for unexpected script injections is also important.

Suggested commands include using network monitoring or web application firewall (WAF) logs to filter PATCH requests to the API endpoint. For example, using curl or similar tools to simulate or detect such requests:

  • curl -X PATCH -H "Authorization: Bearer <token>" -d '{"content": "some malicious <img src=x onerror=alert(1)>"}' https://yourgravsite.com/api/v1/pages/<route>

Additionally, searching server logs or database/page files for suspicious injected JavaScript event handlers in Markdown content can help identify exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include updating Grav CMS, Admin2 plugin, and API plugin to the patched versions released after June 12, 2026, which enforce proper XSS safety checks during the Admin2 Pages API save flow.

Specifically, apply the patch that ensures the API's partial-field validation calls Validation::checkSafety() alongside Validation::validate(), preventing malicious script injection.

Until the update is applied, restrict page write permissions to trusted users only, especially limiting non-superadmin users from editing pages via the API.

Monitor and audit page content changes for suspicious JavaScript injections and consider implementing additional input sanitization or WAF rules to block suspicious payloads targeting the API.

Compliance Impact

The vulnerability allows an authenticated non-superadmin user with page write permissions to inject arbitrary JavaScript into page content, which is then executed in the context of the site for any visitor, including administrators.

This stored cross-site scripting (XSS) flaw can lead to unauthorized actions performed on behalf of users, session hijacking, or modification of administrative content, potentially exposing sensitive data or compromising user trust.

Such security weaknesses can impact compliance with standards like GDPR and HIPAA, which require protection of personal data and secure handling of user sessions to prevent unauthorized access or data breaches.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11982. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart