Grav CMS Stored XSS Vulnerability Leading to Potential RCE

Grav CMS versions prior to 2.0.0-beta.2 are susceptible to a stored XSS vulnerability. A low-privileged user with the ability to create pages can inject arbitrary JavaScript code through a crafted SVG tag. This vulnerability resides in the system/src/Grav/Common/Security.php file, specifically in the detectXss function, where insufficient input sanitization allows bypassing the intended XSS filter. Successful exploitation can lead to an administrator's session context being compromised, including the admin_nonce. This, in turn, enables attackers to bypass CSRF protections and execute arbitrary code on the server. The vulnerability was patched on 2026-04-24 and will be included in version 2.0.0-beta.2.

Attack Chain

1. A low-privileged user logs into the Grav CMS admin panel.
2. The user creates a new page or edits an existing one via the admin/pages/<page> endpoint.
3. In the page content, the user injects a malicious SVG tag containing an onerror event handler: <svg><foreignObject><img src=x onerror=eval(atob('...'))></foreignObject></svg>. The base64 encoded payload fetches the /grav-admin/admin/config/info endpoint.
4. The malicious page is saved.
5. A Super Admin user visits the compromised page through the Grav admin panel.
6. The injected JavaScript executes within the Super Admin's browser session.
7. The script fetches the /grav-admin/admin/config/info endpoint, which contains sensitive system information and the admin nonce.
8. The script sends the exfiltrated data to an attacker-controlled server via navigator.sendBeacon.
9. The attacker uses the exfiltrated admin_nonce to perform CSRF attacks and potentially achieve RCE.

Impact

Successful exploitation of this stored XSS vulnerability can lead to full system compromise. An attacker can leverage the exfiltrated admin_nonce to bypass CSRF protection, gain administrative privileges, and ultimately execute arbitrary code on the server. The impact includes potential data breaches, system takeover, and complete loss of confidentiality, integrity, and availability. This issue affects Grav Core + Admin Plugin versions prior to v1.7.49.5 - Admin v1.10.49.1. The vulnerability has a CVSS score of 9.0, indicating a critical risk.

Recommendation

• Upgrade to Grav CMS version 2.0.0-beta.2 or later to address the vulnerability.
• Deploy the following Sigma rule to detect the injection of potentially malicious SVG tags in page content using web server logs, looking for cs-uri-query containing <svg and onerror: "Detect Suspicious SVG Tag Injection in Grav CMS".
• Enable web server logging to monitor for POST requests containing SVG tags with event handlers in the request body via the cs-uri-query field.
• Monitor network traffic for outbound connections from the Grav CMS server to external IPs, especially those initiated by browser processes.