Headline
GHSA-mpjj-4688-3fxg: Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters
Summary
A Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][metadata], data[header][taxonomy][category], and data[header][taxonomy][tag] parameters. These scripts are stored in the page frontmatter and executed automatically whenever the affected page is accessed or rendered in the administrative interface.
Details
Vulnerable Endpoint: POST /admin/pages/[page]
Parameters:
data[header][metadata]data[header][taxonomy][category]data[header][taxonomy][tag]
The application fails to properly sanitize user input when saving page metadata or taxonomy fields via the Admin Panel. As a result, an attacker with access to the admin interface can inject a malicious script using these parameters, and the script will be stored in the page’s YAML frontmatter. When the page or metadata is rendered (especially in the Admin Panel), the payload is executed in the browser of any user with access.
PoC
Payload:
<script>alert('PoC-XXS51')</script>
Steps to Reproduce:
Log into the Grav Admin Panel and navigate to Pages.
Create or edit a page.
Inject the payload above into any of the following fields in the Options tab:
Metadata key name
Category under Taxonomy
Tag under Taxonomy
- Save the page.
When the page is loaded again in the Admin Panel or potentially on the frontend (depending on how the metadata is used), the script is executed, confirming the Stored XSS vulnerability.
Impact
Stored XSS vulnerabilities can result in serious consequences, including:
Session hijacking: Attackers can steal authentication cookies or tokens
Malware delivery: Injected scripts can download malicious software
Credential theft: Fake input fields can capture usernames and passwords
Sensitive data exposure: Access to internal metadata and browser data
Administrative access compromise: Especially dangerous in admin-facing interfaces
Phishing attacks: Users can be redirected to external malicious sites
Reputation damage: Executing arbitrary scripts in trusted systems undermines credibility
by CVE-Hunters
Summary
A Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][metadata], data[header][taxonomy][category], and data[header][taxonomy][tag] parameters. These scripts are stored in the page frontmatter and executed automatically whenever the affected page is accessed or rendered in the administrative interface.
Details
Vulnerable Endpoint: POST /admin/pages/[page]
Parameters:
data[header][metadata]
data[header][taxonomy][category]
data[header][taxonomy][tag]
The application fails to properly sanitize user input when saving page metadata or taxonomy fields via the Admin Panel. As a result, an attacker with access to the admin interface can inject a malicious script using these parameters, and the script will be stored in the page’s YAML frontmatter. When the page or metadata is rendered (especially in the Admin Panel), the payload is executed in the browser of any user with access.
PoC
Payload:
<script>alert(‘PoC-XXS51’)</script>
Steps to Reproduce:
Log into the Grav Admin Panel and navigate to Pages.
Create or edit a page.
Inject the payload above into any of the following fields in the Options tab:
Metadata key name
Category under Taxonomy
Tag under Taxonomy
- Save the page.
When the page is loaded again in the Admin Panel or potentially on the frontend (depending on how the metadata is used), the script is executed, confirming the Stored XSS vulnerability.
Impact
Stored XSS vulnerabilities can result in serious consequences, including:
Session hijacking: Attackers can steal authentication cookies or tokens
Malware delivery: Injected scripts can download malicious software
Credential theft: Fake input fields can capture usernames and passwords
Sensitive data exposure: Access to internal metadata and browser data
Administrative access compromise: Especially dangerous in admin-facing interfaces
Phishing attacks: Users can be redirected to external malicious sites
Reputation damage: Executing arbitrary scripts in trusted systems undermines credibility
by CVE-Hunters
References
- GHSA-mpjj-4688-3fxg
- https://nvd.nist.gov/vuln/detail/CVE-2025-66311
- getgrav/grav-plugin-admin@99f6532