Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Privileged users with page editing capabilities can inject malicious scripts to execute arbitrary code and install malicious plugins for system access.
References
| Link | Resource |
|---|---|
| https://github.com/getgrav/grav/security/advisories/GHSA-cvmr-6428-87w9 | Vendor Advisory |
| https://www.vulncheck.com/advisories/grav-cross-site-scripting-in-admin-plugin-page-editor | Third Party Advisory |
Configurations
History
26 Jun 2026, 18:58
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:* | |
| First Time |
Getgrav
Getgrav grav |
|
| References | () https://github.com/getgrav/grav/security/advisories/GHSA-cvmr-6428-87w9 - Vendor Advisory | |
| References | () https://www.vulncheck.com/advisories/grav-cross-site-scripting-in-admin-plugin-page-editor - Third Party Advisory |
25 Jun 2026, 22:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-25 22:16
Updated : 2026-06-27 04:17
NVD link : CVE-2020-37256
Mitre link : CVE-2020-37256
CVE.ORG link : CVE-2020-37256
JSON object : View
Products Affected
getgrav
- grav
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
