Grav XSS Escalates to RCE via Admin Panel

/HIGH /CVSS 8.9/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycross-site-scripting-xsscwe-79
Grav XSS Escalates to RCE via Admin Panel

A critical cross-site scripting (XSS) vulnerability, tracked as CVE-2026-42611, has been identified in Grav, a popular file-based web platform. As reported by the National Vulnerability Database, this flaw allows a low-privileged user, specifically one with page creation capabilities, to inject SVG elements and trigger an XSS.

This XSS is not just a nuisance; it’s a stepping stone. The National Vulnerability Database further details that the XSS can be escalated to dump sensitive system information from the /admin/config/info page whenever a Super Admin visits it. Critically, this can then be chained with the admin-nonce mechanism to achieve a complete server compromise, resulting in Remote Code Execution (RCE). This is a serious attack path.

The vulnerability, which carries a CVSS score of 8.9 (HIGH), is fixed in Grav version 2.0.0-beta.2. Any organization running Grav versions prior to this beta release is exposed to a significant risk of server takeover if an attacker gains even minimal authenticated access.

What This Means For You

  • If your organization uses Grav, you need to immediately check your version. Any installation prior to 2.0.0-beta.2 is vulnerable. Patching is non-negotiable. Audit your Grav instances for unauthorized page creations or suspicious activity, especially if you have users with low-privileged access. This isn't theoretical; it's a direct path to RCE.

Indicators of Compromise

IDTypeIndicator
CVE-2026-42611 XSS Grav web platform versions prior to 2.0.0-beta.2
CVE-2026-42611 XSS Injection of SVG element by low-privileged user
CVE-2026-42611 Information Disclosure Escalation to dump system information from /admin/config/info
CVE-2026-42611 RCE Chaining with admin-nonce for server compromise

Written by SCW Vulnerability Desk

🔎
Grav XSS and RCE Implications Use /brief to get an analyst-ready summary of high-severity vulnerabilities and their impact.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 11, 2026 at 19:17 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

OpenClaw Improper Authentication: CVE-2026-8305 Publicly Exploitable

CVE-2026-8305 — A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component...

vulnerabilityCVEhigh-severitycwe-287
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 4 IOCs /⚙ 2 Sigma

OpenClaw Improper Access Control Bypasses Denylist, Allows Persistent Malicious Configs

CVE-2026-45006 — OpenClaw before 2026.4.23 contains an improper access control vulnerability in the gateway tool's config.apply and config.patch operations that allows compromised models to write...

vulnerabilityCVEhigh-severityimproper-access-controlcwe-184
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma

OpenClaw RCE: Arbitrary Code Execution via Plugin Setup Resolver

CVE-2026-45004 — OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd() during provider setup...

vulnerabilityCVEhigh-severitycode-executioncwe-427
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 5 IOCs /⚙ 3 Sigma