CVE-2018-1000529

MEDIUM

Grails Fields plugin < 2.2.8 - Cross-Site Scripting via Display Tag

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-1000529. PoCs published by martinfrancois.

AI-analyzed exploit summary This repository contains a proof-of-concept for CVE-2018-1000529, a stored XSS vulnerability in the Grails Fields Plugin <=2.2.7. The PoC demonstrates how unvalidated HTML/JavaScript in domain objects can be executed in the browser due to lack of encoding.

Description

Grails Fields plugin version 2.2.7 contains a Cross Site Scripting (XSS) vulnerability in Using the display tag that can result in XSS . This vulnerability appears to have been fixed in 2.2.8.

Exploits (1)

nomisec WORKING POC
by martinfrancois · poc
https://github.com/martinfrancois/CVE-2018-1000529

This repository contains a proof-of-concept for CVE-2018-1000529, a stored XSS vulnerability in the Grails Fields Plugin <=2.2.7. The PoC demonstrates how unvalidated HTML/JavaScript in domain objects can be executed in the browser due to lack of encoding.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Grails Fields Plugin <=2.2.7 (Grails v3.3.5 and below)
No auth needed
Prerequisites: Grails application with vulnerable Grails Fields Plugin
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/grails-fields-plugin/grails-fields/issues/278
Third Party Advisory x_refsource_misc
https://github.com/martinfrancois/CVE-2018-1000529

Scores

CVSS v3 6.1
EPSS 0.0034
EPSS Percentile 57.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (3)
grails/grails_fields 2.2.7
org.grails/grails-core 0 - 3.3.6Maven
org.grails.plugins/fields 0 - 2.2.8Maven
Published Jun 26, 2018
Tracked Since Feb 18, 2026