CVE-2026-44737
MEDIUMgrav-plugin-admin: Stored Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][title]
Title source: cnaDescription
grav-plugin-admin is the admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.10.49.5, the application fails to properly validate and sanitize user input in the data[header][title] parameter. As a result, attackers can craft a malicious URL with an XSS payload. When this URL is accessed, the injected script is reflected back in the HTTP response and executed within the context of the victim's browser session. This vulnerability is fixed in 1.10.49.5.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/getgrav/grav/security/advisories/GHSA-fmg2-f5r9-24qc
X_Refsource_Misc x_refsource_misc
https://github.com/getgrav/grav-plugin-admin/commit/f67cc18e81d8767bb43d29ee6422c55ed0427803
Scores
CVSS v4
6.2
EPSS
0.0026
EPSS Percentile
16.8%
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
getgrav/grav
0 - 1.7.49.5Packagist
getgrav/grav-plugin-admin
< 1.10.49.5
Published
May 11, 2026
Tracked Since
May 11, 2026