Stored XSS Vulnerability in Grav with Admin2 Pages API
CVE-2026-11982

5.1MEDIUM

Key Information:

Vendor

Grav

Status
Grav-plugin-api
Vendor
CVE Published:
18 June 2026

What is CVE-2026-11982?

In Grav version 2.0.0-rc.9 with Admin2 version 2.0.0-rc.14, a stored cross-site scripting (XSS) vulnerability exists within the Pages API save flow. This issue can allow an attacker to inject malicious scripts that are then executed in the context of the user's browser, impacting the security of the site. It is essential for users to apply the latest patches and updates to mitigate the potential risks associated with this vulnerability.

Affected Version(s)

grav-plugin-api Windows 1.7.52

References

https://fluidattacks.com/es/advisories/luis
third-party-advisory
https://github.com/getgrav/grav-plugin-api
product
https://github.com/getgrav/grav-plugin-api/commit/b8ca62e...
patch

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Santiago Alvarez
Fluid Attacks' AI SAST Scanner
.