CVE-2026-61453

Source
https://cve.org/CVERecord?id=CVE-2026-61453
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-61453.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-61453
Aliases
  • GHSA-2c4f-86xc-cr74
Published
2026-07-15T11:25:45.830Z
Modified
2026-07-17T03:41:50.102977553Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Grav before 2.0.1 XSS via Twig String Concatenation
Details

Grav v2.0.0 contains a cross-site scripting vulnerability (fixed in 2.0.1). The XSS blueprint validator (Security::detectXss()) runs on raw page content before Twig processing. When Twig content processing is enabled (twigcontent.processenabled: true), an attacker with page-write API permission can use Twig's string concatenation operator (~) to dynamically construct event handler names, dangerous tag names, or dangerous protocols at render time (e.g. {% set x = "on" ~ "error" %}). The validator sees only the harmless Twig expression and allows the content, but after Twig rendering the output (rendered via {{ page.content|raw }}) contains an active payload such as <img src=1 onerror=alert(1)>, executing arbitrary JavaScript in visitors' browsers.

Database specific
{
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/61xxx/CVE-2026-61453.json",
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/getgrav/grav

Affected ranges

Type
GIT
Repo
https://github.com/getgrav/grav
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.0.1"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

0.*
0.8.0
0.9.0
0.9.10
0.9.11
0.9.12
0.9.13
0.9.14
0.9.15
0.9.16
0.9.17
0.9.18
0.9.19
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
1.*
1.1.0-beta.1
1.1.0-beta.2
1.1.0-beta.3
1.1.0-beta.4
1.1.0-beta.5
1.1.0-rc.1
1.1.0-rc.2
1.1.0-rc.3
1.1.9-rc.1
1.1.9-rc.2
1.1.9-rc.3
1.2.0-rc.1
1.2.0-rc.2
1.2.0-rc.3
1.3.0-rc.1
1.3.0-rc.3
1.3.0-rc.4
1.3.0-rc.5
1.5.0-beta.1
1.5.0-beta.2
1.5.0-rc.1
1.6.0-beta.1
1.6.0-beta.2
1.6.0-beta.5
1.6.0-beta.6
1.6.0-beta.7
1.6.0-beta.8
1.6.0-rc.1
1.6.0-rc.2
1.6.0-rc.3
1.6.0-rc.4
1.7.0
1.7.0-beta.1
1.7.0-beta.10
1.7.0-beta.2
1.7.0-beta.3
1.7.0-beta.4
1.7.0-beta.5
1.7.0-beta.6
1.7.0-beta.7
1.7.0-beta.8
1.7.0-beta.9
1.7.0-rc.1
1.7.0-rc.10
1.7.0-rc.12
1.7.0-rc.13
1.7.0-rc.14
1.7.0-rc.15
1.7.0-rc.17
1.7.0-rc.18
1.7.0-rc.19
1.7.0-rc.2
1.7.0-rc.20
1.7.0-rc.3
1.7.0-rc.4
1.7.0-rc.5
1.7.0-rc.6
1.7.0-rc.7
1.7.0-rc.8
1.7.0-rc.9
1.7.1
1.7.10
1.7.12
1.7.13
1.7.14
1.7.15
1.7.16
1.7.17
1.7.18
1.7.19
1.7.20
1.7.21
1.7.22
1.7.23
1.7.24
1.7.25
1.7.26
1.7.26.1
1.7.27
1.7.27.1
1.7.28
1.7.29
1.7.29.1
1.7.3
1.7.30
1.7.31
1.7.32
1.7.33
1.7.34
1.7.35
1.7.36
1.7.37
1.7.37.1
1.7.38
1.7.39
1.7.39.1
1.7.4
1.7.5
1.7.51
1.7.52
1.7.53
1.7.6
1.7.7
1.7.8
1.7.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-61453.json"