CVE-2026-11982

Description

Grav 2.0.0-rc.9 with Admin2 2.0.0-rc.14 contains a stored cross-site scripting (XSS) vulnerability in the Admin2 Pages API save flow.

PUBLISHED Reserved 2026-06-11 | Published 2026-06-18 | Updated 2026-06-18 | Assigner Fluid Attacks

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Credits

Santiago Alvarez finder

Fluid Attacks' AI SAST Scanner finder

References

github.com/...v/grav/security/advisories/GHSA-5wc5-7v9g-f7v6 exploit

fluidattacks.com/es/advisories/luis third-party-advisory

github.com/getgrav/grav-plugin-api product

github.com/...ommit/b8ca62eddb7dbea92075a78b1c0a507f03d66d4a patch

github.com/...v/grav/security/advisories/GHSA-5wc5-7v9g-f7v6 vendor-advisory

cve.org (CVE-2026-11982)

nvd.nist.gov (CVE-2026-11982)

Download JSON