CVE-2025-46199

Vendor	Grav CMS
Version	v.1.7.48
Vulnerability Type	Cross Site Scripting(XSS)

 

Cross Site Scripting vulnerability in grav v.1.7.48 and before allows an attacker to execute arbitrary code via a crafted script to the form fields

An authenticated attacker (editor role or permissions to publish), would manage to inject malicious javascript code in the form fields to be executed on the users or administrators of the application when accessing the article.

 

The vulnerability also occurs in the current version because the previous vulnerability has not been patched.

Previous Vulnerabilities(CVE-2023-31506)

 

POC

## Exploit Code

`<isindex x="javascript:" onmouseover="alert('tyojong')">`

 

 

References

https://m3n0sd0n4ld.github.io/patoHackventuras/cve-2023-31506