Cross-Site Scripting Vulnerability in Grav by Get Grav
CVE-2026-61453
5.1MEDIUM
What is CVE-2026-61453?
Grav v2.0.0 is susceptible to a cross-site scripting (XSS) vulnerability that allows attackers with page-write API permissions to inject malicious JavaScript. This occurs when the XSS blueprint validator processes raw page content without adequate protection, particularly during the Twig content rendering phase. By exploiting Twig's string concatenation operator, an attacker can construct harmful event handler names and tag protocols that bypass initial security checks. As a result, the rendered output can execute arbitrary JavaScript, putting users at risk when they interact with the affected web pages.
Affected Version(s)
grav 0 < 2.0.1
grav 2.0.1
