Cross-Site Scripting Vulnerability in Grav Admin Plugin by GetGrav
CVE-2020-37256

5.1MEDIUM

Key Information:

Vendor: Grav
Status: Grav
Vendor: CVE Published:; 25 June 2026

What is CVE-2020-37256?

Grav prior to version 1.6.30 is susceptible to a cross-site scripting (XSS) vulnerability within its Admin plugin page editor. This flaw allows privileged users with the ability to edit pages to inject harmful scripts. Consequently, these scripts can execute arbitrary code, enabling attackers to install malicious plugins, thereby compromising system security.

Affected Version(s)

Grav 0 < 1.6.30

Grav 1.6.30

References

https://github.com/getgrav/grav/security/advisories/GHSA-...

vendor-advisory

https://www.vulncheck.com/advisories/grav-cross-site-scri...

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 22, 2026

Credit

ShrubberyRubbery

CVE-2020-37256 Data

JSON