{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/grav-core-+-admin-plugin--2.0.0-beta.2/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Grav Core + Admin Plugin (\u003c 2.0.0-beta.2)"],"_cs_severities":["high"],"_cs_tags":["grav","xss","rce","webserver"],"_cs_type":"threat","_cs_vendors":["Grav"],"content_html":"\u003cp\u003eGrav CMS versions prior to 2.0.0-beta.2 are susceptible to a stored XSS vulnerability. A low-privileged user with the ability to create pages can inject arbitrary JavaScript code through a crafted SVG tag. This vulnerability resides in the \u003ccode\u003esystem/src/Grav/Common/Security.php\u003c/code\u003e file, specifically in the \u003ccode\u003edetectXss\u003c/code\u003e function, where insufficient input sanitization allows bypassing the intended XSS filter. Successful exploitation can lead to an administrator\u0026rsquo;s session context being compromised, including the \u003ccode\u003eadmin_nonce\u003c/code\u003e. This, in turn, enables attackers to bypass CSRF protections and execute arbitrary code on the server. The vulnerability was patched on 2026-04-24 and will be included in version 2.0.0-beta.2.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA low-privileged user logs into the Grav CMS admin panel.\u003c/li\u003e\n\u003cli\u003eThe user creates a new page or edits an existing one via the \u003ccode\u003eadmin/pages/\u0026lt;page\u0026gt;\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eIn the page content, the user injects a malicious SVG tag containing an \u003ccode\u003eonerror\u003c/code\u003e event handler: \u003ccode\u003e\u0026lt;svg\u0026gt;\u0026lt;foreignObject\u0026gt;\u0026lt;img src=x onerror=eval(atob('...'))\u0026gt;\u0026lt;/foreignObject\u0026gt;\u0026lt;/svg\u0026gt;\u003c/code\u003e. The base64 encoded payload fetches the \u003ccode\u003e/grav-admin/admin/config/info\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe malicious page is saved.\u003c/li\u003e\n\u003cli\u003eA Super Admin user visits the compromised page through the Grav admin panel.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript executes within the Super Admin\u0026rsquo;s browser session.\u003c/li\u003e\n\u003cli\u003eThe script fetches the \u003ccode\u003e/grav-admin/admin/config/info\u003c/code\u003e endpoint, which contains sensitive system information and the admin nonce.\u003c/li\u003e\n\u003cli\u003eThe script sends the exfiltrated data to an attacker-controlled server via \u003ccode\u003enavigator.sendBeacon\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the exfiltrated \u003ccode\u003eadmin_nonce\u003c/code\u003e to perform CSRF attacks and potentially achieve RCE.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this stored XSS vulnerability can lead to full system compromise. An attacker can leverage the exfiltrated \u003ccode\u003eadmin_nonce\u003c/code\u003e to bypass CSRF protection, gain administrative privileges, and ultimately execute arbitrary code on the server. The impact includes potential data breaches, system takeover, and complete loss of confidentiality, integrity, and availability. This issue affects Grav Core + Admin Plugin versions prior to \u003ccode\u003ev1.7.49.5 - Admin v1.10.49.1\u003c/code\u003e. The vulnerability has a CVSS score of 9.0, indicating a critical risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Grav CMS version 2.0.0-beta.2 or later to address the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect the injection of potentially malicious SVG tags in page content using web server logs, looking for \u003ccode\u003ecs-uri-query\u003c/code\u003e containing \u003ccode\u003e\u0026lt;svg\u003c/code\u003e and \u003ccode\u003eonerror\u003c/code\u003e: \u0026ldquo;Detect Suspicious SVG Tag Injection in Grav CMS\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eEnable web server logging to monitor for POST requests containing SVG tags with event handlers in the request body via the \u003ccode\u003ecs-uri-query\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for outbound connections from the Grav CMS server to external IPs, especially those initiated by browser processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T14:00:00Z","date_published":"2026-05-06T14:00:00Z","id":"/briefs/2026-05-grav-xss/","summary":"A stored XSS vulnerability exists in Grav Core + Admin Plugin versions before 2.0.0-beta.2, where a low-privileged user can inject malicious code via a crafted tag, potentially leading to the exfiltration of admin session context, bypassing CSRF protections, and escalating to remote code execution (RCE).","title":"Grav CMS Stored XSS Vulnerability Leading to Potential RCE","url":"https://feed.craftedsignal.io/briefs/2026-05-grav-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Grav Core + Admin Plugin (\u003c 2.0.0-Beta.2)","version":"https://jsonfeed.org/version/1.1"}