CVE-2025-46198

Published: Jul 25, 2025Modified: Aug 20, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Cross Site Scripting vulnerability in grav v.1.7.48, v.1.7.47 and v.1.7.46 allows an attacker to execute arbitrary code via the onerror attribute of the img element

Affected (1)

Products: Getgrav: Grav

Getgrav

1 product

Grav

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Getgrav Grav	From 1.7.46 to 1.7.48

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://rapid-echo-f9c.notion.site/Grav-XSS-1dbaf8998a078072bb30ffc9b9e7ab4a?pvs=4

Source: cve@mitre.org

ExploitMitigationThird Party Advisory

https://tyojong.tistory.com/1

Source: cve@mitre.org

ExploitThird Party Advisory

Timeline

No history available yet.