CVE-2026-44737
grav-plugin-admin: Stored Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][title]
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
grav-plugin-admin is the admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.10.49.5, the application fails to properly validate and sanitize user input in the data[header][title] parameter. As a result, attackers can craft a malicious URL with an XSS payload. When this URL is accessed, the injected script is reflected back in the HTTP response and executed within the context of the victim's browser session. This vulnerability is fixed in 1.10.49.5.
| CWE | CWE-79 |
| Vendor | getgrav |
| Product | grav-plugin-admin |
| Published | May 11, 2026 |
| Last Updated | May 11, 2026 |
Stay Ahead of the Next One
Get instant alerts for getgrav grav-plugin-admin
Be the first to know when new unknown vulnerabilities affecting getgrav grav-plugin-admin are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
getgrav / grav-plugin-admin
< 1.10.49.5