Cross-Site Scripting Vulnerability in Grav by Get Grav
CVE-2026-61453

5.1MEDIUM

Key Information:

Vendor

Getgrav

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-61453?

Grav v2.0.0 is susceptible to a cross-site scripting (XSS) vulnerability that allows attackers with page-write API permissions to inject malicious JavaScript. This occurs when the XSS blueprint validator processes raw page content without adequate protection, particularly during the Twig content rendering phase. By exploiting Twig's string concatenation operator, an attacker can construct harmful event handler names and tag protocols that bypass initial security checks. As a result, the rendered output can execute arbitrary JavaScript, putting users at risk when they interact with the affected web pages.

Affected Version(s)

grav 0 < 2.0.1

grav 2.0.1

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

alienkeric
gemstone-source
.