CVE-2020-37256 | Grav before 1.6.30 contains a cross-site scripting vulnerabi… | CVSS 5.4 MEDIUM

Description

Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Privileged users with page editing capabilities can inject malicious scripts to execute arbitrary code and install malicious plugins for system access.

Metadata

CVE ID: CVE-2020-37256
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-22 21:55 UTC
Published: 2026-06-25 21:41 UTC
Last updated: 2026-06-25 21:41 UTC
Primary CWE: CWE-79
Improper Neutralization of Input During Web Page Generation …
Vendor / Product: Grav / Grav
Sources: cve.org · NVD

Severity & Metrics

5.4 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Affected products (1)

Vendor	Product	Platform	Versions
Grav	Grav	—	0 < 1.6.30, 1.6.30

Weakness (CWE)

CWE	Source	Description
CWE-79	cna	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS scores (2)

Score	Severity	Version	Source	Vector
5.4	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.1	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

References (2)

GitHub Security Advisory (GHSA-cvmr-6428-87w9) https://github.com/getgrav/grav/security/advisories/GHSA-cvmr-6428-87w9
VulnCheck Advisory: Grav - Cross-Site Scripting in Admin Plugin Page Editor https://www.vulncheck.com/advisories/grav-cross-site-scripting-in-admin-plugin-page-editor