CVE-2026-44737 Overview
CVE-2026-44737 is a reflected Cross-Site Scripting (XSS) vulnerability [CWE-79] in the Grav Admin plugin (grav-plugin-admin), the HTML user interface used to configure Grav CMS and manage page content. The flaw exists in versions prior to 1.10.49.5, where the application fails to validate and sanitize the data[header][title] parameter. An attacker can craft a malicious URL containing a JavaScript payload that is reflected back in the HTTP response and executed inside the victim's authenticated browser session. The vulnerability was addressed in Grav Admin plugin 1.10.49.5 via GitHub Security Advisory GHSA-fmg2-f5r9-24qc.
Critical Impact
Successful exploitation enables script execution in the context of an authenticated Grav administrator, potentially leading to session hijacking, configuration tampering, and content modification on the CMS.
Affected Products
- Grav CMS Admin Plugin (grav-plugin-admin) prior to 1.10.49.5
- Grav installations using the bundled administrative interface
- Sites configured to allow authenticated users access to the page move dialog
Discovery Timeline
- 2026-05-11 - CVE-2026-44737 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44737
Vulnerability Analysis
The vulnerability resides in the client-side rendering logic of the Grav Admin plugin page move dialog. The administrative interface constructs DOM elements using string interpolation that embeds untrusted page metadata directly into HTML markup. When an attacker supplies a payload through the data[header][title] parameter, the value is reflected into the rendered response and parsed as HTML rather than text.
Because administrators must be authenticated to reach the affected dialog, the exploitation requires user interaction such as clicking a crafted link or visiting an attacker-controlled page that triggers the request. Once executed, the injected script runs with the privileges of the administrative session and can issue requests against the Grav backend on behalf of the victim.
Root Cause
The root cause is unsafe HTML construction in two JavaScript modules: themes/grav/app/forms/fields/parents.js and themes/grav/app/utils/finderjs.js. Both files inserted page label values into template strings without escaping, allowing attribute and tag-context injection through fields the user controls.
Attack Vector
An attacker crafts a URL or page entry containing JavaScript in the title field, then lures an authenticated Grav administrator to interact with the page move dialog or breadcrumb component. The browser parses the reflected payload, executes the script, and the attacker can act as the administrator.
// Patch excerpt: themes/grav/app/forms/fields/parents.js
static createItemContent(config, item) {
const frag = document.createDocumentFragment();
- const label = $(`<span title="${item[config.labelKey]}" />`);
+ const label = $('<span />').attr('title', item[config.labelKey]);
const infoContainer = $('<span class="info-container" />');
const iconPrepend = $('<i />');
const iconAppend = $('<i />');
}
// Source: https://github.com/getgrav/grav-plugin-admin/commit/f67cc18e81d8767bb43d29ee6422c55ed0427803
The vulnerable code interpolates item[config.labelKey] into an HTML attribute via a template literal, allowing an attacker to break out of the title attribute. The fix uses jQuery's .attr(), which safely sets the attribute value without parsing it as HTML.
// Patch excerpt: themes/grav/app/utils/finderjs.js
-this.pathBar.append(`
- <span class="breadcrumb-node breadcrumb-node-${item.type}" ${item.type === 'dir' ? `data-breadcrumb-node="${itemKeys}"` : ''}>
- <i class="fa fa-fw ${this.getIcon(item.type)}"></i>
- <span class="breadcrumb-node-name">${$('<div />').html(item[this.config.labelKey]).html()}</span>
- ${!isLast ? '<i class="fa fa-fw fa-chevron-right"></i>' : ''}
- </span>
-`);
+const node = $('<span class="breadcrumb-node" />')
+ .addClass(`breadcrumb-node-${item.type}`)
+ .append($('<i class="fa fa-fw" />').addClass(this.getIcon(item.type)))
+ .append($('<span class="breadcrumb-node-name" />').text(item[this.config.labelKey]));
+
+if (item.type === 'dir') {
+ node.attr('data-breadcrumb-node', itemKeys);
+}
+if (!isLast) {
+ node.append($('<i class="fa fa-fw fa-chevron-right" />'));
+}
+this.pathBar.append(node);
// Source: https://github.com/getgrav/grav-plugin-admin/commit/f67cc18e81d8767bb43d29ee6422c55ed0427803
The fix replaces template-string HTML construction with safe DOM APIs, using .text() and .attr() so user-supplied values are treated as data rather than markup.
Detection Methods for CVE-2026-44737
Indicators of Compromise
- HTTP requests to Grav admin endpoints containing data[header][title] values with script tags, event handlers (onerror=, onload=), or quote-breaking sequences.
- Unexpected outbound requests from administrator browsers to unfamiliar domains shortly after accessing the page move or breadcrumb interface.
- Modifications to Grav pages, user accounts, or plugin configuration that do not correspond to legitimate administrative activity.
Detection Strategies
- Inspect web server and reverse proxy logs for query strings or POST bodies containing <script, javascript:, or HTML attribute-breaking characters in title-related parameters.
- Review Grav page front matter (title fields) for content that includes HTML or JavaScript constructs.
- Compare deployed grav-plugin-admin version against 1.10.49.5 using package manifests or the admin panel version string.
Monitoring Recommendations
- Enable HTTP request logging on the Grav admin path and alert on parameter values that match XSS payload signatures.
- Monitor browser security telemetry from administrative workstations for Content Security Policy (CSP) violations originating on Grav admin pages.
- Track changes to Grav content files and user records, correlating modifications with the active administrator session.
How to Mitigate CVE-2026-44737
Immediate Actions Required
- Upgrade grav-plugin-admin to version 1.10.49.5 or later on every affected Grav installation.
- Audit existing page front matter for title values that contain HTML or script content and remove any unauthorized entries.
- Force re-authentication and rotate administrative session cookies after patching to invalidate any sessions that may have been compromised.
Patch Information
The vulnerability is fixed in grav-plugin-admin1.10.49.5. Details are published in the GitHub Security Advisory GHSA-fmg2-f5r9-24qc, and the code changes are available in the GitHub Commit f67cc18.
Workarounds
- Restrict access to the Grav admin interface using network controls such as IP allowlisting or VPN-only access until patching is complete.
- Deploy a Content Security Policy (CSP) on the admin path that disallows inline script execution to reduce the impact of reflected payloads.
- Limit administrative accounts to trusted users and require administrators to avoid clicking untrusted links while authenticated to the Grav backend.
# Update the Grav admin plugin to the fixed release
cd /path/to/grav
bin/gpm update admin
# Verify the installed version is 1.10.49.5 or later
bin/gpm info admin | grep -i version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
