๐Ÿ” CVE Alert

CVE-2026-61453

MEDIUM 6.1

Grav before 2.0.1 XSS via Twig String Concatenation

CVSS Score
6.1
EPSS Score
0.0%
EPSS Percentile
0th

Grav v2.0.0 contains a cross-site scripting vulnerability (fixed in 2.0.1). The XSS blueprint validator (Security::detectXss()) runs on raw page content before Twig processing. When Twig content processing is enabled (twig_content.process_enabled: true), an attacker with page-write API permission can use Twig's string concatenation operator (~) to dynamically construct event handler names, dangerous tag names, or dangerous protocols at render time (e.g. {% set x = "on" ~ "error" %}). The validator sees only the harmless Twig expression and allows the content, but after Twig rendering the output (rendered via {{ page.content|raw }}) contains an active payload such as <img src=1 onerror=alert(1)>, executing arbitrary JavaScript in visitors' browsers.

CWE CWE-79
Vendor getgrav
Product grav
Published Jul 15, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for getgrav grav

Be the first to know when new medium vulnerabilities affecting getgrav grav are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Affected Versions

getgrav / grav
0 < 2.0.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/getgrav/grav/security/advisories/GHSA-2c4f-86xc-cr74 vulncheck.com: https://www.vulncheck.com/advisories/grav-before-xss-via-twig-string-concatenation

Credits

๐Ÿ” alienkeric ๐Ÿ” gemstone-source