CVE-2025-46198

HIGH

Grav 1.7.46-1.7.48 - Cross-Site Scripting via IMG onerror Attribute

Title source: llm
STIX 2.1

Description

Cross Site Scripting vulnerability in grav v.1.7.48, v.1.7.47 and v.1.7.46 allows an attacker to execute arbitrary code via the onerror attribute of the img element

References (2)

Core 2
Core References
Exploit, Third Party Advisory
https://tyojong.tistory.com/1

Scores

CVSS v3 8.8
EPSS 0.0063
EPSS Percentile 45.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-79
Status published
Products (1)
getgrav/grav 1.7.46 - 1.7.48
Published Jul 25, 2025
Tracked Since Feb 18, 2026