CVE-2020-15253

HIGH

grocy < 2.7.1 - Authenticated Stored Cross-Site Scripting via Shopping List Deletion

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-15253. PoCs published by Mufaddal Masalawala.

AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in grocy 2.7.1 via the 'Create Shopping List' module. The payload is stored in the 'Name' field and executed when the shopping list is deleted.

Description

Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept.

Exploits (1)

exploitdb WORKING POC
by Mufaddal Masalawala · textwebappsphp
https://www.exploit-db.com/exploits/48792

This exploit demonstrates a persistent XSS vulnerability in grocy 2.7.1 via the 'Create Shopping List' module. The payload is stored in the 'Name' field and executed when the shopping list is deleted.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: grocy 2.7.1
Auth required
Prerequisites: Authenticated access to the grocy application
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/48792
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/grocy/grocy/issues/996

Scores

CVSS v3 7.3
EPSS 0.0123
EPSS Percentile 65.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

Details

CWE
CWE-79
Status published
Products (1)
grocy/grocy < 2.7.1
Published Oct 14, 2020
Tracked Since Feb 18, 2026