Cross-site Scripting (XSS) - Stored in getgrav/grav


Reported on

Oct 20th 2021


Grav is vulnerable to XSS. It is possible to use &colon; instead of : in <a> tags.

Proof of Concept


<a href="javascript&colon;alert(document.domain)">CLICK HERE</a>

1: Edit a page with the payload (user with low privileges).

2: Check out the target page and click on CLICK HERE.

PoC video.


This vulnerability is capable of executing JS code.

We have contacted a member of the getgrav/grav team and are waiting to hear back 2 years ago
We have sent a follow up to the getgrav/grav team. We will try again in 7 days. 2 years ago
getgrav/grav maintainer validated this vulnerability 2 years ago
Renan Rocha has been awarded the disclosure bounty
The fix bounty is now up for grabs
getgrav/grav maintainer marked this as fixed with commit afc69a 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Security.php#L82-L125 has been validated
Jamie Slome
2 years ago


CVE published! 🎉

to join this conversation