XSS Vulnerability in Grav Plugin Admin for Grav by Getgrav
CVE-2026-44737

6.2MEDIUM

Key Information:

Vendor: Getgrav
Status: Grav-plugin-admin
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-44737?

The grav-plugin-admin is an admin plugin for the Grav content management system. Prior to version 1.10.49.5, it is susceptible to an XSS vulnerability due to improper validation and sanitization of user input within the data[header][title] parameter. This flaw allows attackers to craft malicious URLs containing XSS payloads. When such a URL is accessed, the injected script is executed within the victim's browser session, posing significant security risks. It is crucial for users to update to version 1.10.49.5 or later to mitigate this vulnerability.

Affected Version(s)

grav-plugin-admin < 1.10.49.5

References

https://github.com/getgrav/grav/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/getgrav/grav-plugin-admin/commit/f67cc...

x_refsource_MISC

CVSS V4

Score:

6.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44737 Data

JSON