CVE-2026-44737
Grav: Stored XSS via page title (data[header][title]) in admin panel
Description
### Summary _A Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][title] parameter._ --- ### Details Vulnerable Endpoint: GET /admin/pages/[page] Parameter: data[header][title] The application fails to properly validate and sanitize user input in the data[header][title] parameter. As a result, attackers can craft a malicious URL with an XSS payload. When this URL is accessed, the injected script is reflected back in the HTTP response and executed within the context of the victim's browser session. --- ### PoC **Payload:** `<img src=1 onerror=alert(1)>` 1. Log in to the Grav Admin Panel and navigate to Pages. 2. Create a new page or edit an existing one. 3. Edit title of the page to `<img src=1 onerror=alert(1)>` <img width="1897" height="700" alt="image" src="https://github.com/user-attachments/assets/77a129ca-5c2b-4743-8c56-c17fa456eefa" /> 4. Save page 5. Open the move function and click on the folder having the payload <img width="1904" height="984" alt="image" src="https://github.com/user-attachments/assets/44f8f88f-76c4-449f-8c4e-11e8e2c51d8f" /> <img width="1902" height="995" alt="image" src="https://github.com/user-attachments/assets/1dc2ef15-e534-4e87-93ea-92bc573af7f1" /> --- ### Impact Stored cross-site scripting (XSS) attacks can have serious consequences, including: - User actions: Attackers can perform actions on behalf of the user - Data theft: Sensitive information such as session cookies can be stolen - Account compromise: Attackers may impersonate legitimate users - Malicious code execution: Arbitrary JavaScript code can run in the user’s browser - Website defacement or misinformation: Malicious output may be injected visually - User redirection: Victims may be redirected to phishing or malicious websites By [Vu Duc Hieu](https://github.com/vdh1612) Contributor [Simon Tran](https://github.com/simontranduy)
How to fix CVE-2026-44737
To remediate CVE-2026-44737, upgrade the affected package to a fixed version below.
- —upgrade to 1.7.49.5 or later
Is CVE-2026-44737 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.